Mercurial > hg
view tests/test-username-newline.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | 3b165c127690 |
children | 5ac845ca059a |
line wrap: on
line source
$ hg init $ touch a $ unset HGUSER $ echo "[ui]" >> .hg/hgrc $ echo "username= foo" >> .hg/hgrc $ echo " bar1" >> .hg/hgrc $ hg ci -Am m adding a abort: username 'foo\nbar1' contains a newline [255] $ rm .hg/hgrc $ HGUSER=`(echo foo; echo bar2)` hg ci -Am m abort: username 'foo\nbar2' contains a newline [255] $ hg ci -Am m -u "`(echo foo; echo bar3)`" transaction abort! rollback completed abort: username 'foo\nbar3' contains a newline! [255]