Mercurial Mercurial > hg / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-ui-config.py.out
author Sean Farley <sean@farley.io>
Fri, 28 Jul 2017 16:32:25 -0700
branchstable
changeset 33650 0b3fe3910ef5
parent 32449 0ed730f3301c
child 37937 a2cfea193040
permissions -rw-r--r--
util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

[('string', 'string value'), ('bool1', 'true'), ('bool2', 'false'), ('boolinvalid', 'foo'), ('int1', '42'), ('int2', '-42'), ('intinvalid', 'foo')]
[('list1', 'foo'), ('list2', 'foo bar baz'), ('list3', 'alice, bob'), ('list4', 'foo bar baz alice, bob'), ('list5', 'abc d"ef"g "hij def"'), ('list6', '"hello world", "how are you?"'), ('list7', 'Do"Not"Separate'), ('list8', '"Do"Separate'), ('list9', '"Do\\"NotSeparate"'), ('list10', 'string "with extraneous" quotation mark"'), ('list11', 'x, y'), ('list12', '"x", "y"'), ('list13', '""" key = "x", "y" """'), ('list14', ',,,,'), ('list15', '" just with starting quotation'), ('list16', '"longer quotation" with "no ending quotation'), ('list17', 'this is \\" "not a quotation mark"'), ('list18', 'ding\ndong')]
---
'string value'
'true'
'false'
None
---
values.string is not a boolean ('string value')
True
False
False
False
True
---
42
-42
---
['foo']
['foo', 'bar', 'baz']
['alice', 'bob']
['foo', 'bar', 'baz', 'alice', 'bob']
['foo', 'bar', 'baz', 'alice', 'bob']
['abc', 'd"ef"g', 'hij def']
['hello world', 'how are you?']
['Do"Not"Separate']
['Do', 'Separate']
['Do"NotSeparate']
['string', 'with extraneous', 'quotation', 'mark"']
['x', 'y']
['x', 'y']
['', ' key = ', 'x"', 'y', '', '"']
[]
['"', 'just', 'with', 'starting', 'quotation']
['longer quotation', 'with', '"no', 'ending', 'quotation']
['this', 'is', '"', 'not a quotation mark']
['ding', 'dong']
[]
[]
['foo']
['foo']
['foo', 'bar']
['foo', 'bar']
['foo bar']
['foo', 'bar']
---
(0, 0)
(1113868800, 0)
None
True
boolinvalid
intinvalid
dateinvalid
Mercurial