Mercurial > hg
view tests/dummyssh @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | f266cb3f1c2b |
children | 26d4ce8ca2bd |
line wrap: on
line source
#!/usr/bin/env python import sys import os os.chdir(os.getenv('TESTTMP')) if sys.argv[1] != "user@dummy": sys.exit(-1) os.environ["SSH_CLIENT"] = "127.0.0.1 1 2" log = open("dummylog", "ab") log.write("Got arguments") for i, arg in enumerate(sys.argv[1:]): log.write(" %d:%s" % (i + 1, arg)) log.write("\n") log.close() hgcmd = sys.argv[2] if os.name == 'nt': # hack to make simple unix single quote quoting work on windows hgcmd = hgcmd.replace("'", '"') r = os.system(hgcmd) sys.exit(bool(r))