Mercurial > hg
view tests/test-archive-symlinks.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 4d2b9b304ad0 |
children | c4d03b6d9576 |
line wrap: on
line source
#require symlink $ origdir=`pwd` $ hg init repo $ cd repo $ ln -s nothing dangling avoid tar warnings about old timestamp $ hg ci -d '2000-01-01 00:00:00 +0000' -qAm 'add symlink' $ hg archive -t files ../archive $ hg archive -t tar -p tar ../archive.tar $ hg archive -t zip -p zip ../archive.zip files $ cd "$origdir" $ cd archive $ readlink.py dangling dangling -> nothing tar $ cd "$origdir" $ tar xf archive.tar $ cd tar $ readlink.py dangling dangling -> nothing zip $ cd "$origdir" $ unzip archive.zip > /dev/null 2>&1 $ cd zip $ readlink.py dangling dangling -> nothing $ cd ..