Mercurial > hg
view tests/test-ui-config.py.out @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | fa2b596db182 |
children | a6344df5108e |
line wrap: on
line source
[('string', 'string value'), ('bool1', 'true'), ('bool2', 'false'), ('boolinvalid', 'foo'), ('int1', '42'), ('int2', '-42'), ('intinvalid', 'foo')] [('list1', 'foo'), ('list2', 'foo bar baz'), ('list3', 'alice, bob'), ('list4', 'foo bar baz alice, bob'), ('list5', 'abc d"ef"g "hij def"'), ('list6', '"hello world", "how are you?"'), ('list7', 'Do"Not"Separate'), ('list8', '"Do"Separate'), ('list9', '"Do\\"NotSeparate"'), ('list10', 'string "with extraneous" quotation mark"'), ('list11', 'x, y'), ('list12', '"x", "y"'), ('list13', '""" key = "x", "y" """'), ('list14', ',,,, '), ('list15', '" just with starting quotation'), ('list16', '"longer quotation" with "no ending quotation'), ('list17', 'this is \\" "not a quotation mark"'), ('list18', '\n \n\nding\ndong')] --- 'string value' 'true' 'false' None --- values.string is not a boolean ('string value') True False False False True --- 42 -42 --- ['foo'] ['foo', 'bar', 'baz'] ['alice', 'bob'] ['foo', 'bar', 'baz', 'alice', 'bob'] ['foo', 'bar', 'baz', 'alice', 'bob'] ['abc', 'd"ef"g', 'hij def'] ['hello world', 'how are you?'] ['Do"Not"Separate'] ['Do', 'Separate'] ['Do"NotSeparate'] ['string', 'with extraneous', 'quotation', 'mark"'] ['x', 'y'] ['x', 'y'] ['', ' key = ', 'x"', 'y', '', '"'] [] ['"', 'just', 'with', 'starting', 'quotation'] ['longer quotation', 'with', '"no', 'ending', 'quotation'] ['this', 'is', '"', 'not a quotation mark'] ['ding', 'dong'] [] [] ['foo'] ['foo'] ['foo', 'bar'] ['foo', 'bar'] ['foo bar'] ['foo', 'bar'] None True boolinvalid intinvalid