Rishabh Madan <rishabhmadan96@gmail.com> [Sat, 05 Aug 2017 05:25:36 +0530] rev 33698
releasenotes: add similarity check function to compare incoming notes
It is possible that the incoming note fragments have some similar content as the
existing release notes. In case of a bug fix, we match for issueNNNN in the
existing notes. For other general cases, it makes use of fuzzywuzzy library to get
a similarity score. If the score is above a certain threshold, we ignore the
fragment, otherwise add it. But the score might be misleading for small commit
messages. So, it uses similarity function only if the length of string (in words)
is above a certain value. The patch adds tests related to its usage. But it needs
improvement in the sense of combining incoming notes. We can use interactive mode
for adding notes. Maybe we can do this if similarity is under a certain range.
Rishabh Madan <rishabhmadan96@gmail.com> [Sat, 29 Jul 2017 14:06:26 +0530] rev 33697
releasenotes: add import check for fuzzywuzzy
This patch adds the has_fuzzywuzzy for import check of external dependency
fuzzywuzzy.
Matt Harbison <matt_harbison@yahoo.com> [Tue, 18 Jul 2017 00:57:11 -0400] rev 33696
run-tests: don't drop optional lines after a missing unconditional line
The previous behavior was to bail out when hitting 'awol', so 'missing (?)' was
also dropped.
Matt Harbison <matt_harbison@yahoo.com> [Tue, 18 Jul 2017 00:12:44 -0400] rev 33695
run-tests: drop required (feature !) style lines when the output is missing
Essentially, these were acting as a verbose (?) flag, since they weren't being
dropped when required. Foozy has a nice description [1]. Basically, a couple
more places needed to check the features before treating it as optional.
I don't like how test-run-tests.py had to be hacked, but _hghave() can't be made
a static method. The test change was a change while developing `debugssl`,
prior to tightening up the cases where the message is printed, that this fix
would have caught.
[1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-July/101941.html
Denis Laxalde <denis.laxalde@logilab.fr> [Mon, 24 Jul 2017 10:34:32 +0200] rev 33694
status: avoid recursing into ignored directory with "--terse u"
Let "isignoreddir" function first check that supplied directory is itself
ignored before walking recursively into its content. Otherwise, the command is
awfully slow when one has an ignored directory with a lot of content.
Update and rephrase function docstring accordingly.
Pulkit Goyal <7895pulkit@gmail.com> [Mon, 31 Jul 2017 09:59:42 +0530] rev 33693
pushvars: move fb extension pushvars to core
pushvars extension in fbext adds a --pushvars flag to push command using which
one send strings to server which becomes environment variables there prepended
with HG_USERVAR_. These variables can then be used to run hooks on the server.
The extension is moved directly to core and unbundling of the strings and
converting them to environment variables at server is disabled by default for
security reasons. One can turn that on by following config:
[push]
pushvars.server = true
This patch also adds the test for the extension.
Differential Revision: https://phab.mercurial-scm.org/D210
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 12:21:23 -0700] rev 33692
phabricator: update diff property even if we choose not to create a new diff
The diff property contains metadata like "HG Node". Previously we skip
uploading a new diff if we are sure that the old patch and new patch have a
same content. That has issues when a pusher adds an obsmarker using the old
"HG Node" stored in the old diff.
This patch adds logic to update the diff property so "HG Node" gets updated
to prevent that issue.
Differential Revision: https://phab.mercurial-scm.org/D229
Jun Wu <quark@fb.com> [Mon, 17 Jul 2017 19:52:50 -0700] rev 33691
phabricator: use Phabricator's last node information
This makes it more strict when checking whether or not we should update a
Differential Revision. For example,
a) Alice updates D1 to content 1.
b) Bob updates D1 to content 2.
c) Alice tries to update D1 to content 1.
Previously, `c)` will do nothing because `phabsend` detects the patch is not
changed. A more correct behavior is to override Bob's update here, hence the
patch.
This also makes it possible to return a reaonsable "last node" when there is
no tags but only `Differential Revision` commit messages.
Test Plan:
```
for i in A B C; do echo $i > $i; hg ci -m $i -A $i; done
hg phabsend 0::
# D40: created
# D41: created
# D42: created
echo 3 >> C; hg amend; hg phabsend .
# D42: updated
hg tag --local --hidden -r 2 -f D42
# move tag to the previous version
hg phabsend .
# D42: skipped (previously it would be "updated")
rm -rf .hg; hg init
hg phabread --stack D42 | hg import -
hg phabsend .
# D42: updated
hg tag --local --remove D42
hg commit --amend
hg phabsend .
# D42: updated (no new diff uploaded, previously it will upload a new diff)
```
The old diff object is now returned, which could be useful in the next
patch.
Differential Revision: https://phab.mercurial-scm.org/D121
Pulkit Goyal <7895pulkit@gmail.com> [Thu, 03 Aug 2017 03:09:33 +0530] rev 33690
phabricator: add --confirm option to phabsend command
This adds a --confirm flag similar to the confirm flag of `hg email` using which
one can confirm the changesets before they get emailed. The confirm flag will
show the changesets and ask for confirmation before sending them.
Differential Revision: https://phab.mercurial-scm.org/D218
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 18:07:34 +0200] rev 33689
evolution: rename bumped to phase-divergent
Rename bumped to phase-divergent in all external user-facing output. Only
update user-facing output for the moment, variables names, templates keyword
and potentially configuration would be done in later series.
The renaming is done according to
https://www.mercurial-scm.org/wiki/CEDVocabulary.
Differential Revision: https://phab.mercurial-scm.org/D216
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:58:20 +0200] rev 33688
evolution: rename divergent to content-divergent
Rename divergent to content-divergent in all external user-facing output. Only
update user-facing output for the moment, variables names, templates keyword
and potentially configuration would be done in later series.
The renaming is done according to
https://www.mercurial-scm.org/wiki/CEDVocabulary.
Differential Revision: https://phab.mercurial-scm.org/D215
Yuya Nishihara <yuya@tcha.org> [Thu, 03 Aug 2017 00:45:02 +0900] rev 33687
py3: use bytes IO to write sample hgrc
Unicode sucks. Stop using Text IO and manually convert line endings.
muxator <a.mux@inwind.it> [Fri, 04 Aug 2017 08:15:10 +0200] rev 33686
buildrpm: do not break in presence of custom user configs
For example, if "hg log" was defined as an alias:
# /etc/mercurial/hgrc
[alias]
log = log --graph
the buildrpm script would be surprised by log messages formatted in
unexpected ways, and bail out.
This patch sets HGPLAIN, effectively resetting all the user configs,
including log output, to a common state, making the build more
predictable across all the possible environments.
Kostia Balytskyi <ikostia@fb.com> [Fri, 04 Aug 2017 05:38:22 -0700] rev 33685
sparse: treat paths as cwd-relative
This commit makes it so sparse treats passed paths as CWD-relative,
not repo-root-realive. This is a more intuitive behavior in my (and some
other FB people's) opinion.
This is breaking change however. My hope here is that since sparse is
experimental, it's ok to introduce BCs.
The reason (glob)s are needed in the test is this: in these two cases we
do not supply path together with slashes, but `os.path.join` adds them, which
means that under Windows they can be backslashes. To demonstrate this behavior,
one could remove the (glob)s and run `./run-tests.py test-sparse.t` from
MinGW's terminal on Windows.
Kostia Balytskyi <ikostia@fb.com> [Wed, 02 Aug 2017 15:48:57 -0700] rev 33684
match: expose some data and functionality to other modules
This patch makes sure that other modules can check whether patterns
are CWD-relative.
Kostia Balytskyi <ikostia@fb.com> [Wed, 02 Aug 2017 15:05:21 -0700] rev 33683
sparse: properly error out when absolute paths are used
Current logic is misleading (it says it drops only absolute paths, but
it actually drops all of them), not cross-platform (does not support Windows)
and IMO just wrong (as it should just error out if absolute paths are given).
This commit fixes it.
Yuya Nishihara <yuya@tcha.org> [Thu, 03 Aug 2017 23:02:32 +0900] rev 33682
py3: convert arbitrary exception object to byte string more reliably
Our exception types implement __bytes__(), which should be tried first. Do
lossy encoding conversion as a last resort.
Rodrigo Damazio <rdamazio@google.com> [Thu, 03 Aug 2017 20:08:31 -0700] rev 33681
build: delay version computation on macOS builds
The way HGVER is evaluated now, it'll be evaluated at the beginning of the
make execution - with this change, it's evaluated when it gets to that command,
at which point the version file it's looking for is sure to exist and be
up-to-date.
Differential Revision: https://phab.mercurial-scm.org/D224
Kyle Lippincott <spectral@google.com> [Thu, 03 Aug 2017 12:40:48 -0700] rev 33680
color: remove warnings if term is not formatted (==dumb or !ui.formatted())
If the user sets color.mode=terminfo, and then runs in the shell inside of emacs
(so TERM=dumb), the previous behavior was that it would warn about no terminfo
entry for setab/setaf, and then warn about 'failed to set color mode to
terminfo'. The first warning is silenced by carrying 'formatted' through to
_terminfosetup, the second is silenced by using 'formatted' instead of
ui.formatted().
If --color=on (or ui.color=always) is specified, this will still warn, since the
formatted boolean is set to true in these cases.
Differential Revision: https://phab.mercurial-scm.org/D223
Mathias De Maré <mathias.de_mare@nokia.com> [Thu, 27 Jul 2017 16:09:26 +0200] rev 33679
rpms: add chg
I'm not sure if there's a reason chg is not added by default.
If not, I would like to propose adding in this patch.
Differential Revision: https://phab.mercurial-scm.org/D220
Martin von Zweigbergk <martinvonz@google.com> [Fri, 14 Jul 2017 14:30:55 -0700] rev 33678
tests: demonstrate crash when trying to rebase merge without its parents
As the test case shows, when "hg rebase -d G -r 'B + D + F'" is run on
the following graph, we crash with traceback. It's reasonable to fail
because we can not easily produce a correct rebased F. The problem is
what diff to apply to either the rebased B or the rebased D. We could
potentially produce the result by e.g. applying the (F-D) diff to the
rebased B and then applying the reverse (E-D) diff on top, but that
could result in merge conflicts in each of those steps, which we don't
have a way of dealing with. So for now, let's just add a test case to
demonstrate that we crash (i.e. the AssertionError is clearly
incorrect since the user can run into it).
F
/|
C E
| |
B D G
\|/
A
Differential Revision: https://phab.mercurial-scm.org/D212
Martin von Zweigbergk <martinvonz@google.com> [Sun, 16 Jul 2017 23:17:41 -0700] rev 33677
tests: demonstrate broken rebase of merge with p1's successor in dest
The fix in
8ede973597fd (rebase: handle successor targets (
issue5198),
2016-04-11) only fixed the case where p2's successor was in the
destination, and only when the successor was exactly the destination
(i.e. not when the successor was an ancestor of it). This patch adds a
test case for when p1's successor is in the destination. It adds
another one for when the successor is an ancestor of the
destination. To do that simply, it also rewrites the test case using
drawdag.
Differential Revision: https://phab.mercurial-scm.org/D211
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:19:11 -0400] rev 33676
bundle2: obtain repr() of exception in a python3-safe way
This was exposed by other problems in bundle generation, but I'm not
sure how to test it for now.
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:28:40 -0400] rev 33675
bundle2: use bytestr() instead of str() to convert part id to bytes
This was exposed by trying to run previously-passing Python 3 tests.
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:20:08 -0400] rev 33674
bundle2: work around zip() being lazy in Python 3
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:19:45 -0400] rev 33673
bundle2: look for __next__ as well as next to identify iterators
In Python 3, next is called __next__ and this was failing to catch
some iterators.
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:17:36 -0400] rev 33672
bundle2: use modern Python division
This was failing on Python 3 because the / was returning a float,
which was then making the __mul__ on a bytes sad.
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 11:16:53 -0400] rev 33671
changegroup: wrap some ** expansions in strkwargs
Augie Fackler <augie@google.com> [Mon, 24 Jul 2017 10:21:23 -0400] rev 33670
obsolete: reuse _fm1metapair for computing _fm1metapairsize
It's evaluated at import time, so it seems silly to not reuse the
constant name.
Mike Hommey <mh@glandium.org> [Fri, 11 Aug 2017 10:16:00 +0900] rev 33669
setup: fix installing in a mingw environment
The addition, in
9a4adc76c88a, of a hack for the MSVC compiler class was
overwriting the original class for the Mingw32CCompiler class, leading to an
error when the HackedMingw32CCompiler is instantiated.
Differential Revision: https://phab.mercurial-scm.org/D329
Kevin Bullock <kbullock+mercurial@ringworld.org> [Thu, 10 Aug 2017 21:25:02 -0400] rev 33668
osx: delay version computation on macOS builds
Before this patch, HGVER would be evaluated at the beginning of the make
execution, and would be unset because build/mercurial/ doesn't exist yet
at that point. Now we compute the version after the `make install` run
has completed.
This is backported to stable from
8626b44516c1, but that revision had an
error in the shell invocation syntax.
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:53:48 +0200] rev 33667
evolution: rename unstable to orphan
Rename unstable to orphan in all external user-facing output. Only update
user-facing output for the moment, variables names, templates keyword and
potentially configuration would be done in later series.
The renaming is done according to
https://www.mercurial-scm.org/wiki/CEDVocabulary.
Differential Revision: https://phab.mercurial-scm.org/D214
Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:39:28 +0200] rev 33666
evolution: rename trouble(s) to instability
Rename trouble(s) to instability in all external user-facing output. Only
update user-facing output for the moment, variables names, templates keyword
and potentially configuration would be done in later series.
The renaming is done according to
https://www.mercurial-scm.org/wiki/CEDVocabulary.
Differential Revision: https://phab.mercurial-scm.org/D213
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:23:06 +0530] rev 33665
bundle2: load hookargs from bundleoperation into transaction when started one
When a transaction is started, we must load the hookargs from the
bundleoperation object to the transaction so that they can be used in the
transaction. Also this patch makes sure no more hookargs are added to the
bundleoperation object once the transaction starts.
This is a part of porting fb extension bundle2hooks to core.
Differential Revision: https://phab.mercurial-scm.org/D209
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:08:42 +0530] rev 33664
bundle2: add the capability to store hookargs on bundle operation object
There are extensions like pushrebase, pushvars which run hooks on a server
before taking the lock. Since the lock is not taken, transaction is not there,
so the hookargs can't be stored on the transaction. Adding hooksargs to bundle
operation object will help in running hooks before taking the lock.
This is a part of moving fb's extension bundle2hooks to core.
Differential Revision: https://phab.mercurial-scm.org/D208
Mike Hommey <mh@glandium.org> [Thu, 10 Aug 2017 20:47:19 -0700] rev 33663
branchmap: revert
c34532365b38 for Python 2.7 compatibility
Old versions of python 2.7 don't like that the second argument to
struct.unpack_from is a bytearray, so the change removing the util.buffer
around that argument in branchmap broke running on older versions of python
2.7.
Differential Revision: https://phab.mercurial-scm.org/D330
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:55 -0400] rev 33662
Added signature for changeset
3fee7f7d2da0
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:54 -0400] rev 33661
Added tag 4.3.1 for changeset
3fee7f7d2da0
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33660
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33659
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33658
subrepo: add tests for git rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33657
subrepo: add tests for svn rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33656
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33655
push: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33654
pull: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33653
clone: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33652
sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33651
ssh: ban any username@host or host that starts with - (SEC)
This paranoia probably isn't required, but it can't hurt either.
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:32:25 -0700] rev 33650
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
Yuya Nishihara <yuya@tcha.org> [Wed, 26 Jul 2017 22:10:15 +0900] rev 33649
pathauditor: disable cache of audited paths by default (
issue5628)
The initial attempt was to discard cache when appropriate, but it appears
to be error prone. We had to carefully inspect all places where audit() is
called e.g. without actually updating filesystem, before removing files and
directories, etc.
So, this patch disables the cache of audited paths by default, and enables
it only for the following cases:
- short-lived auditor objects
- repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories
and considered sort of append-only (a file/directory would never be
replaced with a symlink)
There would be more cacheable vfs objects (e.g. mq.queue.opener), but I
decided not to inspect all of them in this patch. We can make them cached
later.
Benchmark result:
- using old clone of http://selenic.com/repo/linux-2.6/ (38319 files)
- on tmpfs
- run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null
- try 4 times and take the last three results
original:
real 7.480 secs (user 1.140+22.760 sys 0.150+1.690)
real 8.010 secs (user 1.070+22.280 sys 0.170+2.120)
real 7.470 secs (user 1.120+22.390 sys 0.120+1.910)
clearcache (the other series):
real 7.680 secs (user 1.120+23.420 sys 0.140+1.970)
real 7.670 secs (user 1.110+23.620 sys 0.130+1.810)
real 7.740 secs (user 1.090+23.510 sys 0.160+1.940)
enable cache only for vfs and svfs (this series):
real 8.730 secs (user 1.500+25.190 sys 0.260+2.260)
real 8.750 secs (user 1.490+25.170 sys 0.250+2.340)
real 9.010 secs (user 1.680+25.340 sys 0.280+2.540)
remove cache function at all (for reference):
real 9.620 secs (user 1.440+27.120 sys 0.250+2.980)
real 9.420 secs (user 1.400+26.940 sys 0.320+3.130)
real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)
Yuya Nishihara <yuya@tcha.org> [Tue, 01 Aug 2017 21:03:25 +0900] rev 33648
tests: show cache of audited paths is never invalidated
Augie Fackler <augie@google.com> [Thu, 10 Aug 2017 14:23:25 -0400] rev 33647
stable: merge heads
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:49 -0400] rev 33646
Added signature for changeset
943c91326b23
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:48 -0400] rev 33645
Added tag 4.2.3 for changeset
943c91326b23
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33644
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33643
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33642
subrepo: add tests for git rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33641
subrepo: add tests for svn rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33640
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33639
push: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33638
pull: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33637
clone: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33636
sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33635
ssh: ban any username@host or host that starts with - (SEC)
This paranoia probably isn't required, but it can't hurt either.