Sat, 05 Aug 2017 05:25:36 +0530 releasenotes: add similarity check function to compare incoming notes
Rishabh Madan <rishabhmadan96@gmail.com> [Sat, 05 Aug 2017 05:25:36 +0530] rev 33698
releasenotes: add similarity check function to compare incoming notes It is possible that the incoming note fragments have some similar content as the existing release notes. In case of a bug fix, we match for issueNNNN in the existing notes. For other general cases, it makes use of fuzzywuzzy library to get a similarity score. If the score is above a certain threshold, we ignore the fragment, otherwise add it. But the score might be misleading for small commit messages. So, it uses similarity function only if the length of string (in words) is above a certain value. The patch adds tests related to its usage. But it needs improvement in the sense of combining incoming notes. We can use interactive mode for adding notes. Maybe we can do this if similarity is under a certain range.
Sat, 29 Jul 2017 14:06:26 +0530 releasenotes: add import check for fuzzywuzzy
Rishabh Madan <rishabhmadan96@gmail.com> [Sat, 29 Jul 2017 14:06:26 +0530] rev 33697
releasenotes: add import check for fuzzywuzzy This patch adds the has_fuzzywuzzy for import check of external dependency fuzzywuzzy.
Tue, 18 Jul 2017 00:57:11 -0400 run-tests: don't drop optional lines after a missing unconditional line
Matt Harbison <matt_harbison@yahoo.com> [Tue, 18 Jul 2017 00:57:11 -0400] rev 33696
run-tests: don't drop optional lines after a missing unconditional line The previous behavior was to bail out when hitting 'awol', so 'missing (?)' was also dropped.
Tue, 18 Jul 2017 00:12:44 -0400 run-tests: drop required (feature !) style lines when the output is missing
Matt Harbison <matt_harbison@yahoo.com> [Tue, 18 Jul 2017 00:12:44 -0400] rev 33695
run-tests: drop required (feature !) style lines when the output is missing Essentially, these were acting as a verbose (?) flag, since they weren't being dropped when required. Foozy has a nice description [1]. Basically, a couple more places needed to check the features before treating it as optional. I don't like how test-run-tests.py had to be hacked, but _hghave() can't be made a static method. The test change was a change while developing `debugssl`, prior to tightening up the cases where the message is printed, that this fix would have caught. [1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-July/101941.html
Mon, 24 Jul 2017 10:34:32 +0200 status: avoid recursing into ignored directory with "--terse u"
Denis Laxalde <denis.laxalde@logilab.fr> [Mon, 24 Jul 2017 10:34:32 +0200] rev 33694
status: avoid recursing into ignored directory with "--terse u" Let "isignoreddir" function first check that supplied directory is itself ignored before walking recursively into its content. Otherwise, the command is awfully slow when one has an ignored directory with a lot of content. Update and rephrase function docstring accordingly.
Mon, 31 Jul 2017 09:59:42 +0530 pushvars: move fb extension pushvars to core
Pulkit Goyal <7895pulkit@gmail.com> [Mon, 31 Jul 2017 09:59:42 +0530] rev 33693
pushvars: move fb extension pushvars to core pushvars extension in fbext adds a --pushvars flag to push command using which one send strings to server which becomes environment variables there prepended with HG_USERVAR_. These variables can then be used to run hooks on the server. The extension is moved directly to core and unbundling of the strings and converting them to environment variables at server is disabled by default for security reasons. One can turn that on by following config: [push] pushvars.server = true This patch also adds the test for the extension. Differential Revision: https://phab.mercurial-scm.org/D210
Fri, 04 Aug 2017 12:21:23 -0700 phabricator: update diff property even if we choose not to create a new diff
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 12:21:23 -0700] rev 33692
phabricator: update diff property even if we choose not to create a new diff The diff property contains metadata like "HG Node". Previously we skip uploading a new diff if we are sure that the old patch and new patch have a same content. That has issues when a pusher adds an obsmarker using the old "HG Node" stored in the old diff. This patch adds logic to update the diff property so "HG Node" gets updated to prevent that issue. Differential Revision: https://phab.mercurial-scm.org/D229
Mon, 17 Jul 2017 19:52:50 -0700 phabricator: use Phabricator's last node information
Jun Wu <quark@fb.com> [Mon, 17 Jul 2017 19:52:50 -0700] rev 33691
phabricator: use Phabricator's last node information This makes it more strict when checking whether or not we should update a Differential Revision. For example, a) Alice updates D1 to content 1. b) Bob updates D1 to content 2. c) Alice tries to update D1 to content 1. Previously, `c)` will do nothing because `phabsend` detects the patch is not changed. A more correct behavior is to override Bob's update here, hence the patch. This also makes it possible to return a reaonsable "last node" when there is no tags but only `Differential Revision` commit messages. Test Plan: ``` for i in A B C; do echo $i > $i; hg ci -m $i -A $i; done hg phabsend 0:: # D40: created # D41: created # D42: created echo 3 >> C; hg amend; hg phabsend . # D42: updated hg tag --local --hidden -r 2 -f D42 # move tag to the previous version hg phabsend . # D42: skipped (previously it would be "updated") rm -rf .hg; hg init hg phabread --stack D42 | hg import - hg phabsend . # D42: updated hg tag --local --remove D42 hg commit --amend hg phabsend . # D42: updated (no new diff uploaded, previously it will upload a new diff) ``` The old diff object is now returned, which could be useful in the next patch. Differential Revision: https://phab.mercurial-scm.org/D121
Thu, 03 Aug 2017 03:09:33 +0530 phabricator: add --confirm option to phabsend command
Pulkit Goyal <7895pulkit@gmail.com> [Thu, 03 Aug 2017 03:09:33 +0530] rev 33690
phabricator: add --confirm option to phabsend command This adds a --confirm flag similar to the confirm flag of `hg email` using which one can confirm the changesets before they get emailed. The confirm flag will show the changesets and ask for confirmation before sending them. Differential Revision: https://phab.mercurial-scm.org/D218
Tue, 01 Aug 2017 18:07:34 +0200 evolution: rename bumped to phase-divergent
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 18:07:34 +0200] rev 33689
evolution: rename bumped to phase-divergent Rename bumped to phase-divergent in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D216
Tue, 01 Aug 2017 17:58:20 +0200 evolution: rename divergent to content-divergent
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:58:20 +0200] rev 33688
evolution: rename divergent to content-divergent Rename divergent to content-divergent in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D215
Thu, 03 Aug 2017 00:45:02 +0900 py3: use bytes IO to write sample hgrc
Yuya Nishihara <yuya@tcha.org> [Thu, 03 Aug 2017 00:45:02 +0900] rev 33687
py3: use bytes IO to write sample hgrc Unicode sucks. Stop using Text IO and manually convert line endings.
Fri, 04 Aug 2017 08:15:10 +0200 buildrpm: do not break in presence of custom user configs
muxator <a.mux@inwind.it> [Fri, 04 Aug 2017 08:15:10 +0200] rev 33686
buildrpm: do not break in presence of custom user configs For example, if "hg log" was defined as an alias: # /etc/mercurial/hgrc [alias] log = log --graph the buildrpm script would be surprised by log messages formatted in unexpected ways, and bail out. This patch sets HGPLAIN, effectively resetting all the user configs, including log output, to a common state, making the build more predictable across all the possible environments.
Fri, 04 Aug 2017 05:38:22 -0700 sparse: treat paths as cwd-relative
Kostia Balytskyi <ikostia@fb.com> [Fri, 04 Aug 2017 05:38:22 -0700] rev 33685
sparse: treat paths as cwd-relative This commit makes it so sparse treats passed paths as CWD-relative, not repo-root-realive. This is a more intuitive behavior in my (and some other FB people's) opinion. This is breaking change however. My hope here is that since sparse is experimental, it's ok to introduce BCs. The reason (glob)s are needed in the test is this: in these two cases we do not supply path together with slashes, but `os.path.join` adds them, which means that under Windows they can be backslashes. To demonstrate this behavior, one could remove the (glob)s and run `./run-tests.py test-sparse.t` from MinGW's terminal on Windows.
Wed, 02 Aug 2017 15:48:57 -0700 match: expose some data and functionality to other modules
Kostia Balytskyi <ikostia@fb.com> [Wed, 02 Aug 2017 15:48:57 -0700] rev 33684
match: expose some data and functionality to other modules This patch makes sure that other modules can check whether patterns are CWD-relative.
Wed, 02 Aug 2017 15:05:21 -0700 sparse: properly error out when absolute paths are used
Kostia Balytskyi <ikostia@fb.com> [Wed, 02 Aug 2017 15:05:21 -0700] rev 33683
sparse: properly error out when absolute paths are used Current logic is misleading (it says it drops only absolute paths, but it actually drops all of them), not cross-platform (does not support Windows) and IMO just wrong (as it should just error out if absolute paths are given). This commit fixes it.
Thu, 03 Aug 2017 23:02:32 +0900 py3: convert arbitrary exception object to byte string more reliably
Yuya Nishihara <yuya@tcha.org> [Thu, 03 Aug 2017 23:02:32 +0900] rev 33682
py3: convert arbitrary exception object to byte string more reliably Our exception types implement __bytes__(), which should be tried first. Do lossy encoding conversion as a last resort.
Thu, 03 Aug 2017 20:08:31 -0700 build: delay version computation on macOS builds
Rodrigo Damazio <rdamazio@google.com> [Thu, 03 Aug 2017 20:08:31 -0700] rev 33681
build: delay version computation on macOS builds The way HGVER is evaluated now, it'll be evaluated at the beginning of the make execution - with this change, it's evaluated when it gets to that command, at which point the version file it's looking for is sure to exist and be up-to-date. Differential Revision: https://phab.mercurial-scm.org/D224
Thu, 03 Aug 2017 12:40:48 -0700 color: remove warnings if term is not formatted (==dumb or !ui.formatted())
Kyle Lippincott <spectral@google.com> [Thu, 03 Aug 2017 12:40:48 -0700] rev 33680
color: remove warnings if term is not formatted (==dumb or !ui.formatted()) If the user sets color.mode=terminfo, and then runs in the shell inside of emacs (so TERM=dumb), the previous behavior was that it would warn about no terminfo entry for setab/setaf, and then warn about 'failed to set color mode to terminfo'. The first warning is silenced by carrying 'formatted' through to _terminfosetup, the second is silenced by using 'formatted' instead of ui.formatted(). If --color=on (or ui.color=always) is specified, this will still warn, since the formatted boolean is set to true in these cases. Differential Revision: https://phab.mercurial-scm.org/D223
Thu, 27 Jul 2017 16:09:26 +0200 rpms: add chg
Mathias De Maré <mathias.de_mare@nokia.com> [Thu, 27 Jul 2017 16:09:26 +0200] rev 33679
rpms: add chg I'm not sure if there's a reason chg is not added by default. If not, I would like to propose adding in this patch. Differential Revision: https://phab.mercurial-scm.org/D220
Fri, 14 Jul 2017 14:30:55 -0700 tests: demonstrate crash when trying to rebase merge without its parents
Martin von Zweigbergk <martinvonz@google.com> [Fri, 14 Jul 2017 14:30:55 -0700] rev 33678
tests: demonstrate crash when trying to rebase merge without its parents As the test case shows, when "hg rebase -d G -r 'B + D + F'" is run on the following graph, we crash with traceback. It's reasonable to fail because we can not easily produce a correct rebased F. The problem is what diff to apply to either the rebased B or the rebased D. We could potentially produce the result by e.g. applying the (F-D) diff to the rebased B and then applying the reverse (E-D) diff on top, but that could result in merge conflicts in each of those steps, which we don't have a way of dealing with. So for now, let's just add a test case to demonstrate that we crash (i.e. the AssertionError is clearly incorrect since the user can run into it). F /| C E | | B D G \|/ A Differential Revision: https://phab.mercurial-scm.org/D212
Sun, 16 Jul 2017 23:17:41 -0700 tests: demonstrate broken rebase of merge with p1's successor in dest
Martin von Zweigbergk <martinvonz@google.com> [Sun, 16 Jul 2017 23:17:41 -0700] rev 33677
tests: demonstrate broken rebase of merge with p1's successor in dest The fix in 8ede973597fd (rebase: handle successor targets (issue5198), 2016-04-11) only fixed the case where p2's successor was in the destination, and only when the successor was exactly the destination (i.e. not when the successor was an ancestor of it). This patch adds a test case for when p1's successor is in the destination. It adds another one for when the successor is an ancestor of the destination. To do that simply, it also rewrites the test case using drawdag. Differential Revision: https://phab.mercurial-scm.org/D211
Mon, 24 Jul 2017 11:19:11 -0400 bundle2: obtain repr() of exception in a python3-safe way
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:19:11 -0400] rev 33676
bundle2: obtain repr() of exception in a python3-safe way This was exposed by other problems in bundle generation, but I'm not sure how to test it for now.
Mon, 24 Jul 2017 11:28:40 -0400 bundle2: use bytestr() instead of str() to convert part id to bytes
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:28:40 -0400] rev 33675
bundle2: use bytestr() instead of str() to convert part id to bytes This was exposed by trying to run previously-passing Python 3 tests.
Mon, 24 Jul 2017 11:20:08 -0400 bundle2: work around zip() being lazy in Python 3
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:20:08 -0400] rev 33674
bundle2: work around zip() being lazy in Python 3
Mon, 24 Jul 2017 11:19:45 -0400 bundle2: look for __next__ as well as next to identify iterators
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:19:45 -0400] rev 33673
bundle2: look for __next__ as well as next to identify iterators In Python 3, next is called __next__ and this was failing to catch some iterators.
Mon, 24 Jul 2017 11:17:36 -0400 bundle2: use modern Python division
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:17:36 -0400] rev 33672
bundle2: use modern Python division This was failing on Python 3 because the / was returning a float, which was then making the __mul__ on a bytes sad.
Mon, 24 Jul 2017 11:16:53 -0400 changegroup: wrap some ** expansions in strkwargs
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:16:53 -0400] rev 33671
changegroup: wrap some ** expansions in strkwargs
Mon, 24 Jul 2017 10:21:23 -0400 obsolete: reuse _fm1metapair for computing _fm1metapairsize
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 10:21:23 -0400] rev 33670
obsolete: reuse _fm1metapair for computing _fm1metapairsize It's evaluated at import time, so it seems silly to not reuse the constant name.
Fri, 11 Aug 2017 10:16:00 +0900 setup: fix installing in a mingw environment stable
Mike Hommey <mh@glandium.org> [Fri, 11 Aug 2017 10:16:00 +0900] rev 33669
setup: fix installing in a mingw environment The addition, in 9a4adc76c88a, of a hack for the MSVC compiler class was overwriting the original class for the Mingw32CCompiler class, leading to an error when the HackedMingw32CCompiler is instantiated. Differential Revision: https://phab.mercurial-scm.org/D329
Thu, 10 Aug 2017 21:25:02 -0400 osx: delay version computation on macOS builds stable
Kevin Bullock <kbullock+mercurial@ringworld.org> [Thu, 10 Aug 2017 21:25:02 -0400] rev 33668
osx: delay version computation on macOS builds Before this patch, HGVER would be evaluated at the beginning of the make execution, and would be unset because build/mercurial/ doesn't exist yet at that point. Now we compute the version after the `make install` run has completed. This is backported to stable from 8626b44516c1, but that revision had an error in the shell invocation syntax.
Tue, 01 Aug 2017 17:53:48 +0200 evolution: rename unstable to orphan
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:53:48 +0200] rev 33667
evolution: rename unstable to orphan Rename unstable to orphan in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D214
Tue, 01 Aug 2017 17:39:28 +0200 evolution: rename trouble(s) to instability
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:39:28 +0200] rev 33666
evolution: rename trouble(s) to instability Rename trouble(s) to instability in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D213
Wed, 02 Aug 2017 03:23:06 +0530 bundle2: load hookargs from bundleoperation into transaction when started one
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:23:06 +0530] rev 33665
bundle2: load hookargs from bundleoperation into transaction when started one When a transaction is started, we must load the hookargs from the bundleoperation object to the transaction so that they can be used in the transaction. Also this patch makes sure no more hookargs are added to the bundleoperation object once the transaction starts. This is a part of porting fb extension bundle2hooks to core. Differential Revision: https://phab.mercurial-scm.org/D209
Wed, 02 Aug 2017 03:08:42 +0530 bundle2: add the capability to store hookargs on bundle operation object
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:08:42 +0530] rev 33664
bundle2: add the capability to store hookargs on bundle operation object There are extensions like pushrebase, pushvars which run hooks on a server before taking the lock. Since the lock is not taken, transaction is not there, so the hookargs can't be stored on the transaction. Adding hooksargs to bundle operation object will help in running hooks before taking the lock. This is a part of moving fb's extension bundle2hooks to core. Differential Revision: https://phab.mercurial-scm.org/D208
Thu, 10 Aug 2017 20:47:19 -0700 branchmap: revert c34532365b38 for Python 2.7 compatibility stable
Mike Hommey <mh@glandium.org> [Thu, 10 Aug 2017 20:47:19 -0700] rev 33663
branchmap: revert c34532365b38 for Python 2.7 compatibility Old versions of python 2.7 don't like that the second argument to struct.unpack_from is a bytearray, so the change removing the util.buffer around that argument in branchmap broke running on older versions of python 2.7. Differential Revision: https://phab.mercurial-scm.org/D330
Thu, 10 Aug 2017 18:46:55 -0400 Added signature for changeset 3fee7f7d2da0 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:55 -0400] rev 33662
Added signature for changeset 3fee7f7d2da0
Thu, 10 Aug 2017 18:46:54 -0400 Added tag 4.3.1 for changeset 3fee7f7d2da0 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:54 -0400] rev 33661
Added tag 4.3.1 for changeset 3fee7f7d2da0
Mon, 07 Aug 2017 22:22:28 +0900 ssh: unban the use of pipe character in user@host:port string stable 4.3.1
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33660
ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.
Fri, 04 Aug 2017 23:54:12 -0700 ssh: quote parameters using shellquote (SEC) stable
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33659
ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.
Mon, 31 Jul 2017 14:55:11 -0700 subrepo: add tests for git rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33658
subrepo: add tests for git rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:44:17 -0700 subrepo: add tests for svn rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33657
subrepo: add tests for svn rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:04:44 -0700 subrepo: add tests for hg rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33656
subrepo: add tests for hg rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 14:40:28 -0700 push: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33655
push: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:47:32 -0700 pull: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33654
pull: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:36:36 -0700 clone: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33653
clone: add tests for unsafe ssh url (SEC)
Tue, 01 Aug 2017 14:40:19 -0700 sshpeer: check for safe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33652
sshpeer: check for safe ssh url (SEC) Checking in the sshpeer for a rogue ssh:// urls seems like the right place to do it (instead of whack-a-mole with pull, clone, push, etc).
Fri, 04 Aug 2017 14:00:03 -0400 ssh: ban any username@host or host that starts with - (SEC) stable
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33651
ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.
Fri, 28 Jul 2017 16:32:25 -0700 util: add utility method to check for bad ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:32:25 -0700] rev 33650
util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Wed, 26 Jul 2017 22:10:15 +0900 pathauditor: disable cache of audited paths by default (issue5628) stable
Yuya Nishihara <yuya@tcha.org> [Wed, 26 Jul 2017 22:10:15 +0900] rev 33649
pathauditor: disable cache of audited paths by default (issue5628) The initial attempt was to discard cache when appropriate, but it appears to be error prone. We had to carefully inspect all places where audit() is called e.g. without actually updating filesystem, before removing files and directories, etc. So, this patch disables the cache of audited paths by default, and enables it only for the following cases: - short-lived auditor objects - repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories and considered sort of append-only (a file/directory would never be replaced with a symlink) There would be more cacheable vfs objects (e.g. mq.queue.opener), but I decided not to inspect all of them in this patch. We can make them cached later. Benchmark result: - using old clone of http://selenic.com/repo/linux-2.6/ (38319 files) - on tmpfs - run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null - try 4 times and take the last three results original: real 7.480 secs (user 1.140+22.760 sys 0.150+1.690) real 8.010 secs (user 1.070+22.280 sys 0.170+2.120) real 7.470 secs (user 1.120+22.390 sys 0.120+1.910) clearcache (the other series): real 7.680 secs (user 1.120+23.420 sys 0.140+1.970) real 7.670 secs (user 1.110+23.620 sys 0.130+1.810) real 7.740 secs (user 1.090+23.510 sys 0.160+1.940) enable cache only for vfs and svfs (this series): real 8.730 secs (user 1.500+25.190 sys 0.260+2.260) real 8.750 secs (user 1.490+25.170 sys 0.250+2.340) real 9.010 secs (user 1.680+25.340 sys 0.280+2.540) remove cache function at all (for reference): real 9.620 secs (user 1.440+27.120 sys 0.250+2.980) real 9.420 secs (user 1.400+26.940 sys 0.320+3.130) real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)
Tue, 01 Aug 2017 21:03:25 +0900 tests: show cache of audited paths is never invalidated stable
Yuya Nishihara <yuya@tcha.org> [Tue, 01 Aug 2017 21:03:25 +0900] rev 33648
tests: show cache of audited paths is never invalidated
Thu, 10 Aug 2017 14:23:25 -0400 stable: merge heads stable
Augie Fackler <augie@google.com> [Thu, 10 Aug 2017 14:23:25 -0400] rev 33647
stable: merge heads
Thu, 10 Aug 2017 14:14:49 -0400 Added signature for changeset 943c91326b23 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:49 -0400] rev 33646
Added signature for changeset 943c91326b23
Thu, 10 Aug 2017 14:14:48 -0400 Added tag 4.2.3 for changeset 943c91326b23 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:48 -0400] rev 33645
Added tag 4.2.3 for changeset 943c91326b23
Mon, 07 Aug 2017 22:22:28 +0900 ssh: unban the use of pipe character in user@host:port string stable 4.2.3
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33644
ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.
Fri, 04 Aug 2017 23:54:12 -0700 ssh: quote parameters using shellquote (SEC) stable
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33643
ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.
Mon, 31 Jul 2017 14:55:11 -0700 subrepo: add tests for git rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33642
subrepo: add tests for git rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:44:17 -0700 subrepo: add tests for svn rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33641
subrepo: add tests for svn rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:04:44 -0700 subrepo: add tests for hg rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33640
subrepo: add tests for hg rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 14:40:28 -0700 push: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33639
push: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:47:32 -0700 pull: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33638
pull: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:36:36 -0700 clone: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33637
clone: add tests for unsafe ssh url (SEC)
Tue, 01 Aug 2017 14:40:19 -0700 sshpeer: check for safe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33636
sshpeer: check for safe ssh url (SEC) Checking in the sshpeer for a rogue ssh:// urls seems like the right place to do it (instead of whack-a-mole with pull, clone, push, etc).
Fri, 04 Aug 2017 14:00:03 -0400 ssh: ban any username@host or host that starts with - (SEC) stable
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33635
ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.
(0) -30000 -10000 -3000 -1000 -300 -100 -64 +64 +100 +300 +1000 +3000 +10000 tip