Mercurial > hg
view hgext/largefiles/wirestore.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 9d33d6e0d442 |
children | b6e71f8af5b8 |
line wrap: on
line source
# Copyright 2010-2011 Fog Creek Software # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. '''largefile store working over Mercurial's wire protocol''' import lfutil import remotestore class wirestore(remotestore.remotestore): def __init__(self, ui, repo, remote): cap = remote.capable('largefiles') if not cap: raise lfutil.storeprotonotcapable([]) storetypes = cap.split(',') if 'serve' not in storetypes: raise lfutil.storeprotonotcapable(storetypes) self.remote = remote super(wirestore, self).__init__(ui, repo, remote.url()) def _put(self, hash, fd): return self.remote.putlfile(hash, fd) def _get(self, hash): return self.remote.getlfile(hash) def _stat(self, hashes): '''For each hash, return 0 if it is available, other values if not. It is usually 2 if the largefile is missing, but might be 1 the server has a corrupted copy.''' batch = self.remote.batch() futures = {} for hash in hashes: futures[hash] = batch.statlfile(hash) batch.submit() retval = {} for hash in hashes: retval[hash] = futures[hash].value return retval