Mercurial > hg
view tests/test-ui-color.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | ff1586a3adc5 |
children | 2e5be704bc96 |
line wrap: on
line source
import os from hgext import color from mercurial import dispatch, ui # ensure errors aren't buffered testui = color.colorui() testui.pushbuffer() testui.write(('buffered\n')) testui.warn(('warning\n')) testui.write_err('error\n') print repr(testui.popbuffer()) # test dispatch.dispatch with the same ui object hgrc = open(os.environ["HGRCPATH"], 'w') hgrc.write('[extensions]\n') hgrc.write('color=\n') hgrc.close() ui_ = ui.ui() ui_.setconfig('ui', 'formatted', 'True') # we're not interested in the output, so write that to devnull ui_.fout = open(os.devnull, 'w') # call some arbitrary command just so we go through # color's wrapped _runcommand twice. def runcmd(): dispatch.dispatch(dispatch.request(['version', '-q'], ui_)) runcmd() print "colored? " + str(issubclass(ui_.__class__, color.colorui)) runcmd() print "colored? " + str(issubclass(ui_.__class__, color.colorui))