Mercurial > hg
view tests/test-hgwebdirsym.t @ 29051:a56296f55a5e stable 3.8.1
convert: pass absolute paths to git (SEC)
Fixes CVE-2016-3105 (1/1).
Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.
Always passing an absolute path to git is a simple way to avoid this.
author | Blake Burkhart <bburky@bburky.com> |
---|---|
date | Wed, 06 Apr 2016 22:57:46 -0500 |
parents | 4d2b9b304ad0 |
children |
line wrap: on
line source
#require serve symlink Tests whether or not hgwebdir properly handles various symlink topologies. hide outer repo $ hg init $ hg init a $ echo a > a/a $ hg --cwd a ci -Ama -d'1 0' adding a $ mkdir webdir $ cd webdir $ hg init b $ echo b > b/b $ hg --cwd b ci -Amb -d'2 0' adding b $ hg init c $ echo c > c/c $ hg --cwd c ci -Amc -d'3 0' adding c $ ln -s ../a al $ ln -s ../webdir circle $ root=`pwd` $ cd .. $ cat > collections.conf <<EOF > [collections] > $root=$root > EOF $ hg serve -p $HGPORT -d --pid-file=hg.pid --webdir-conf collections.conf \ > -A access-collections.log -E error-collections.log $ cat hg.pid >> $DAEMON_PIDS should succeed $ get-with-headers.py localhost:$HGPORT '?style=raw' 200 Script output follows /al/ /b/ /c/ $ get-with-headers.py localhost:$HGPORT 'al/file/tip/a?style=raw' 200 Script output follows a $ get-with-headers.py localhost:$HGPORT 'b/file/tip/b?style=raw' 200 Script output follows b $ get-with-headers.py localhost:$HGPORT 'c/file/tip/c?style=raw' 200 Script output follows c should fail $ get-with-headers.py localhost:$HGPORT 'circle/al/file/tip/a?style=raw' 404 Not Found error: repository circle/al/file/tip/a not found [1] $ get-with-headers.py localhost:$HGPORT 'circle/b/file/tip/a?style=raw' 404 Not Found error: repository circle/b/file/tip/a not found [1] $ get-with-headers.py localhost:$HGPORT 'circle/c/file/tip/a?style=raw' 404 Not Found error: repository circle/c/file/tip/a not found [1] collections errors $ cat error-collections.log