view tests/test-archive-symlinks.t @ 28663:ae279d4a19e9 stable 3.7.3

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.
author Mateusz Kwapich <mitrandir@fb.com>
date Tue, 22 Mar 2016 17:27:27 -0700
parents 4d2b9b304ad0
children c4d03b6d9576
line wrap: on
line source

#require symlink

  $ origdir=`pwd`

  $ hg init repo
  $ cd repo
  $ ln -s nothing dangling

avoid tar warnings about old timestamp

  $ hg ci -d '2000-01-01 00:00:00 +0000' -qAm 'add symlink'

  $ hg archive -t files ../archive
  $ hg archive -t tar -p tar ../archive.tar
  $ hg archive -t zip -p zip ../archive.zip

files

  $ cd "$origdir"
  $ cd archive
  $ readlink.py dangling
  dangling -> nothing

tar

  $ cd "$origdir"
  $ tar xf archive.tar
  $ cd tar
  $ readlink.py dangling
  dangling -> nothing

zip

  $ cd "$origdir"
  $ unzip archive.zip > /dev/null 2>&1
  $ cd zip
  $ readlink.py dangling
  dangling -> nothing

  $ cd ..