Mercurial > hg
view tests/test-username-newline.t @ 29051:a56296f55a5e stable 3.8.1
convert: pass absolute paths to git (SEC)
Fixes CVE-2016-3105 (1/1).
Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.
Always passing an absolute path to git is a simple way to avoid this.
author | Blake Burkhart <bburky@bburky.com> |
---|---|
date | Wed, 06 Apr 2016 22:57:46 -0500 |
parents | 3b165c127690 |
children | 5ac845ca059a |
line wrap: on
line source
$ hg init $ touch a $ unset HGUSER $ echo "[ui]" >> .hg/hgrc $ echo "username= foo" >> .hg/hgrc $ echo " bar1" >> .hg/hgrc $ hg ci -Am m adding a abort: username 'foo\nbar1' contains a newline [255] $ rm .hg/hgrc $ HGUSER=`(echo foo; echo bar2)` hg ci -Am m abort: username 'foo\nbar2' contains a newline [255] $ hg ci -Am m -u "`(echo foo; echo bar3)`" transaction abort! rollback completed abort: username 'foo\nbar3' contains a newline! [255]