view tests/test-revlog.t @ 28663:ae279d4a19e9 stable 3.7.3

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.
author Mateusz Kwapich <mitrandir@fb.com>
date Tue, 22 Mar 2016 17:27:27 -0700
parents b6ed2505d6cf
children f736f98e16ca
line wrap: on
line source

Test for CVE-2016-3630

  $ hg init

  >>> open("a.i", "w").write(
  ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
  ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
  ... .decode("base64").decode("zlib"))

  $ hg debugindex a.i
     rev    offset  length  delta linkrev nodeid       p1           p2
       0         0      19     -1       2 99e0332bd498 000000000000 000000000000
       1        19      12      0       3 6674f57a23d8 99e0332bd498 000000000000
  $ hg debugdata a.i 1 2>&1 | grep decoded
  mpatch.mpatchError: patch cannot be decoded