Mercurial > hg
view tests/test-abort-checkin.t @ 29051:a56296f55a5e stable 3.8.1
convert: pass absolute paths to git (SEC)
Fixes CVE-2016-3105 (1/1).
Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.
Always passing an absolute path to git is a simple way to avoid this.
author | Blake Burkhart <bburky@bburky.com> |
---|---|
date | Wed, 06 Apr 2016 22:57:46 -0500 |
parents | 56b2bcea2529 |
children | f798709eb4b9 |
line wrap: on
line source
$ cat > abortcommit.py <<EOF > from mercurial import error > def hook(**args): > raise error.Abort("no commits allowed") > def reposetup(ui, repo): > repo.ui.setconfig("hooks", "pretxncommit.nocommits", hook) > EOF $ abspath=`pwd`/abortcommit.py $ cat <<EOF >> $HGRCPATH > [extensions] > mq = > abortcommit = $abspath > EOF $ hg init foo $ cd foo $ echo foo > foo $ hg add foo mq may keep a reference to the repository so __del__ will not be called and .hg/journal.dirstate will not be deleted: $ hg ci -m foo error: pretxncommit.nocommits hook failed: no commits allowed transaction abort! rollback completed abort: no commits allowed [255] $ hg ci -m foo error: pretxncommit.nocommits hook failed: no commits allowed transaction abort! rollback completed abort: no commits allowed [255] $ cd ..