Mercurial > hg
view tests/test-schemes.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 7a9cbb315d84 |
children | bf1d5c223ac0 |
line wrap: on
line source
#require serve $ cat <<EOF >> $HGRCPATH > [extensions] > schemes= > > [schemes] > l = http://localhost:$HGPORT/ > parts = http://{1}:$HGPORT/ > z = file:\$PWD/ > EOF $ hg init test $ cd test $ echo a > a $ hg ci -Am initial adding a invalid scheme $ hg log -R z:z abort: no '://' in scheme url 'z:z' [255] http scheme $ hg serve -n test -p $HGPORT -d --pid-file=hg.pid -A access.log -E errors.log $ cat hg.pid >> $DAEMON_PIDS $ hg incoming l:// comparing with l:// searching for changes no changes found [1] check that {1} syntax works $ hg incoming --debug parts://localhost using http://localhost:$HGPORT/ sending capabilities command comparing with parts://localhost/ query 1; heads sending batch command searching for changes all remote heads known locally no changes found [1] check that paths are expanded $ PWD=`pwd` hg incoming z:// comparing with z:// searching for changes no changes found [1] errors $ cat errors.log $ cd ..