Mercurial > hg
view tests/dumbhttp.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 0bb8c405a7c7 |
children | 7623ba92af72 |
line wrap: on
line source
#!/usr/bin/env python from __future__ import absolute_import """ Small and dumb HTTP server for use in tests. """ import optparse import BaseHTTPServer import signal import SimpleHTTPServer import sys from mercurial import ( cmdutil, ) OptionParser = optparse.OptionParser class simplehttpservice(object): def __init__(self, host, port): self.address = (host, port) def init(self): self.httpd = BaseHTTPServer.HTTPServer( self.address, SimpleHTTPServer.SimpleHTTPRequestHandler) def run(self): self.httpd.serve_forever() if __name__ == '__main__': parser = OptionParser() parser.add_option('-p', '--port', dest='port', type='int', default=8000, help='TCP port to listen on', metavar='PORT') parser.add_option('-H', '--host', dest='host', default='localhost', help='hostname or IP to listen on', metavar='HOST') parser.add_option('--pid', dest='pid', help='file name where the PID of the server is stored') parser.add_option('-f', '--foreground', dest='foreground', action='store_true', help='do not start the HTTP server in the background') parser.add_option('--daemon-pipefds') (options, args) = parser.parse_args() signal.signal(signal.SIGTERM, lambda x, y: sys.exit(0)) if options.foreground and options.pid: parser.error("options --pid and --foreground are mutually exclusive") opts = {'pid_file': options.pid, 'daemon': not options.foreground, 'daemon_pipefds': options.daemon_pipefds} service = simplehttpservice(options.host, options.port) cmdutil.service(opts, initfn=service.init, runfn=service.run, runargs=[sys.executable, __file__] + sys.argv[1:])