Mercurial > hg
view tests/test-archive-symlinks.t @ 33657:60ee7af2a2ba stable
subrepo: add tests for svn rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:44:17 -0700 |
parents | c4d03b6d9576 |
children |
line wrap: on
line source
#require symlink $ origdir=`pwd` $ hg init repo $ cd repo $ ln -s nothing dangling avoid tar warnings about old timestamp $ hg ci -d '2000-01-01 00:00:00 +0000' -qAm 'add symlink' $ hg archive -t files ../archive $ hg archive -t tar -p tar ../archive.tar $ hg archive -t zip -p zip ../archive.zip files $ cd "$origdir" $ cd archive $ readlink.py dangling dangling -> nothing tar $ cd "$origdir" $ tar xf archive.tar $ cd tar $ readlink.py dangling dangling -> nothing #if unziplinks zip $ cd "$origdir" $ unzip archive.zip > /dev/null 2>&1 $ cd zip $ readlink.py dangling dangling -> nothing #endif $ cd ..