Mercurial > hg
view tests/test-eolfilename.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 2fc86d92c4a9 |
children | 2def402bd16d |
line wrap: on
line source
#require eol-in-paths https://bz.mercurial-scm.org/352 test issue352 $ hg init foo $ cd foo $ A=`printf 'he\rllo'` $ echo foo > "$A" $ hg add adding he\r (no-eol) (esc) llo abort: '\n' and '\r' disallowed in filenames: 'he\rllo' [255] $ hg ci -A -m m adding he\r (no-eol) (esc) llo abort: '\n' and '\r' disallowed in filenames: 'he\rllo' [255] $ rm "$A" $ echo foo > "hell > o" $ hg add adding hell o abort: '\n' and '\r' disallowed in filenames: 'hell\no' [255] $ hg ci -A -m m adding hell o abort: '\n' and '\r' disallowed in filenames: 'hell\no' [255] $ echo foo > "$A" $ hg debugwalk f he\r (no-eol) (esc) llo he\r (no-eol) (esc) llo f hell o hell o $ echo bla > quickfox $ hg add quickfox $ hg ci -m 2 $ A=`printf 'quick\rfox'` $ hg cp quickfox "$A" abort: '\n' and '\r' disallowed in filenames: 'quick\rfox' [255] $ hg mv quickfox "$A" abort: '\n' and '\r' disallowed in filenames: 'quick\rfox' [255] https://bz.mercurial-scm.org/2036 $ cd .. test issue2039 $ hg init bar $ cd bar $ cat <<EOF >> $HGRCPATH > [extensions] > color = > [color] > mode = ansi > EOF $ A=`printf 'foo\nbar'` $ B=`printf 'foo\nbar.baz'` $ touch "$A" $ touch "$B" $ hg status --color=always \x1b[0;35;1;4m? \x1b[0m\x1b[0;35;1;4mfoo\x1b[0m (esc) \x1b[0;35;1;4mbar\x1b[0m (esc) \x1b[0;35;1;4m? \x1b[0m\x1b[0;35;1;4mfoo\x1b[0m (esc) \x1b[0;35;1;4mbar.baz\x1b[0m (esc) $ cd ..