Mercurial > hg
view tests/md5sum.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 328739ea70c3 |
children | 6a98f9408a50 |
line wrap: on
line source
#!/usr/bin/env python # # Based on python's Tools/scripts/md5sum.py # # This software may be used and distributed according to the terms # of the PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2, which is # GPL-compatible. import sys, os try: from hashlib import md5 except ImportError: from md5 import md5 try: import msvcrt msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) msvcrt.setmode(sys.stderr.fileno(), os.O_BINARY) except ImportError: pass for filename in sys.argv[1:]: try: fp = open(filename, 'rb') except IOError as msg: sys.stderr.write('%s: Can\'t open: %s\n' % (filename, msg)) sys.exit(1) m = md5() try: while True: data = fp.read(8192) if not data: break m.update(data) except IOError as msg: sys.stderr.write('%s: I/O error: %s\n' % (filename, msg)) sys.exit(1) sys.stdout.write('%s %s\n' % (m.hexdigest(), filename)) sys.exit(0)