Mercurial > hg
view tests/test-debugextensions.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 1f8208a7277e |
children | a6573503342d |
line wrap: on
line source
$ hg debugextensions $ debugpath=`pwd`/extwithoutinfos.py $ cat > extwithoutinfos.py <<EOF > EOF $ cat >> $HGRCPATH <<EOF > [extensions] > color= > histedit= > patchbomb= > rebase= > mq= > ext1 = $debugpath > EOF $ hg debugextensions color ext1 (untested!) histedit mq patchbomb rebase $ hg debugextensions -v color location: */hgext/color.pyc (glob) tested with: internal ext1 location: */extwithoutinfos.pyc (glob) histedit location: */hgext/histedit.pyc (glob) tested with: internal mq location: */hgext/mq.pyc (glob) tested with: internal patchbomb location: */hgext/patchbomb.pyc (glob) tested with: internal rebase location: */hgext/rebase.pyc (glob) tested with: internal $ hg debugextensions -Tjson | sed 's|\\\\|/|g' [ { "buglink": "", "name": "color", "source": "*/hgext/color.pyc", (glob) "testedwith": "internal" }, { "buglink": "", "name": "ext1", "source": "*/extwithoutinfos.pyc", (glob) "testedwith": "" }, { "buglink": "", "name": "histedit", "source": "*/hgext/histedit.pyc", (glob) "testedwith": "internal" }, { "buglink": "", "name": "mq", "source": "*/hgext/mq.pyc", (glob) "testedwith": "internal" }, { "buglink": "", "name": "patchbomb", "source": "*/hgext/patchbomb.pyc", (glob) "testedwith": "internal" }, { "buglink": "", "name": "rebase", "source": "*/hgext/rebase.pyc", (glob) "testedwith": "internal" } ]