Mercurial > hg
view tests/test-push-hook-lock.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 00e4c5601c74 |
children | ac9b85079122 |
line wrap: on
line source
$ hg init 1 $ echo '[ui]' >> 1/.hg/hgrc $ echo 'timeout = 10' >> 1/.hg/hgrc $ echo foo > 1/foo $ hg --cwd 1 ci -A -m foo adding foo $ hg clone 1 2 updating to branch default 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ hg clone 2 3 updating to branch default 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cat <<EOF > $TESTTMP/debuglocks-pretxn-hook.sh > hg debuglocks > true > EOF $ echo '[hooks]' >> 2/.hg/hgrc $ echo "pretxnchangegroup.a = sh $TESTTMP/debuglocks-pretxn-hook.sh" >> 2/.hg/hgrc $ echo 'changegroup.push = hg push -qf ../1' >> 2/.hg/hgrc $ echo bar >> 3/foo $ hg --cwd 3 ci -m bar $ hg --cwd 3 push ../2 --config experimental.bundle2-exp=False pushing to ../2 searching for changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files lock: user *, process * (*s) (glob) wlock: free $ hg --cwd 1 --config extensions.strip= strip tip -q $ hg --cwd 2 --config extensions.strip= strip tip -q $ hg --cwd 3 push ../2 --config experimental.bundle2-exp=True pushing to ../2 searching for changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files lock: user *, process * (*s) (glob) wlock: user *, process * (*s) (glob)