hg: tolerate long vs. int in test-context.py The file times here can be longs instead of ints on some platforms, which will cause a test failure due to these printing with an L suffix; instead always format with %d which will produce the same output in either case. Differential Revision: https://phab.mercurial-scm.org/D361

configitems: register the 'notify.test' config

configitems: register the 'notify.template' config

configitems: register the 'notify.style' config

configitems: register the 'notify.strip' config

configitems: register the 'notify.sources' config

configitems: register the 'notify.merge' config

configitems: register the 'notify.mbox' config

configitems: register the 'notify.maxsubject' config

configitems: register the 'notify.maxdiff' config

configitems: register the 'notify.fromauthor' config

configitems: register the 'notify.domain' config

configitems: register the 'notify.diffstat' config

configitems: register the 'notify.config' config

merge with stable

merge with stable

obsutil: rename allprecursors into allpredecessors Use util.nouideprecwarn because obsstore doesn't have easy access to an ui object. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D247

obsolete: rename precursor into predecessor in obsolete docstrings The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D246

obsstore: rename precursors into predecessors Use util.nouideprecwarn because obsstore doesn't have easy access to an ui object. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D245

obsolete: rename _addprecursors into _addpredecessors Use util.nouideprecwarn because _addpredecessors doesn't have easy access to an ui object. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D244

obsmarker: rename precnode into prednode Rename prednode (predecessors node) into precnode (precursors node) in markers class. Use util.nouideprecwarn because markers doesn't have easy access to an ui object. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D243

context: rename troubled into isunstable As we changed the meaning of unstable between the old vocabulary and the new one, we can't reuse the unstable method name at the risk of breaking extensions calling unstable and getting a wrong result. Instead rename troubled into isunstable so extensions will continue to work. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D242

context: rename bumped into phasedivergent Rename bumped context method into phasedivergent and add a deprecation warning on bumped. Only update all callers to keep the patch straightforward. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D241

context: rename divergent into contentdivergent Rename divergent context method into contentdivergent and add a deprecation warning on divergent. Only update all callers to keep the patch straightforward. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D240

context: rename unstable into orphan Rename unstable context method into orphan and add a deprecation warning on unstable. Only update all callers to keep the patch straightforward. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D239

context: rename troubles into instabilities Rename troubles context method into instabilities. Copy the old troubles method and add a deprecation warning. This way extensions calling troubles will see the deprecation warning but will not break due to new return values. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D238

repair: move manifest strip to a separate function This moves manifest stripping to a separate function so implementations of the manifest that don't support stripping can replace this function with a no-op. I considered adding a strip api to the manifestlog, so other implementations could make it a no-op there, but it seems like strip might be unique to the revlog implementation, and therefore shouldn't be present on the generic api. Differential Revision: https://phab.mercurial-scm.org/D292

repair: refactor broken linkrev collection This refactors broken linkrev collection such that manifest collection is in a separate function. This allows extensions to replace the manifest collection with a non-revlog oriented version. I considered moving the collect changes function onto the manifestlog itself, so it would be behind the abstraction, but since the store we're building doesn't even have the concept of strip, embeding that concept in the manifestlog api seemed odd. Differential Revision: https://phab.mercurial-scm.org/D291

tests: update duplicateoptions test to use bytestrings everywhere Test now passes on Python 3. Differential Revision: https://phab.mercurial-scm.org/D297

extensions: attempt to use non-deprecated inspect method Avoids some deprecation warnings when extension loading breaks. Differential Revision: https://phab.mercurial-scm.org/D295

tests: clean up many print statements to be print functions instead Differential Revision: https://phab.mercurial-scm.org/D294

tests: fix simple heredoc print statements to work on Py3 There are a handful left that require some more care. Differential Revision: https://phab.mercurial-scm.org/D293

obsolete: use bytes() instead of str() so the node is bytes on py3 I'm not sure this is right, since this should either be bytes or str to match what's going on in the revlog layer. Differential Revision: https://phab.mercurial-scm.org/D271

tests: fix test-notify.t to use $PYTHON In doing so, I consolidated the filtering logic. This resulted in some small test output changes, but I think the consistency throughout the test is worth it. Differential Revision: https://phab.mercurial-scm.org/D279

tests: make test-highlight code portable to python3 This is easier than trying to do some sort of check-code shenanigans. Differential Revision: https://phab.mercurial-scm.org/D278

dagparser: make print statement in doctest Py3 portable Differential Revision: https://phab.mercurial-scm.org/D277

i18n: fix check-translation.py to be less broken on Python 3 These are all simple one-argument print statements, so this syntax works the same way in 2 and 3. Differential Revision: https://phab.mercurial-scm.org/D276

ui: refactor extractchoices so it doesn't break on Python 3 Differential Revision: https://phab.mercurial-scm.org/D275

obsutil: defend against succsmarkers() returning None I'm not sure if this is a realistic problem, but doing this avoids some pretty awful test failures on Python 3, and it looks like it should be harmless. Differential Revision: https://phab.mercurial-scm.org/D274

changegroup: more **kwargs Differential Revision: https://phab.mercurial-scm.org/D273

bundle2: convert ints to strings using pycompat.bytestring() Fixes some Python 3 regressions. We don't use %d here because the part id is actually an Optional[int]. It should always be initialized to a non-None value by the time this code executes, but we shouldn't blindly depend on that being the case. Differential Revision: https://phab.mercurial-scm.org/D272

tests: fix up test-run-tests failures on Python 3.6 Some of the recent work on run-tests.py didn't work on Python 3. This fixes the regressions. Differential Revision: https://phab.mercurial-scm.org/D270

template: rename troubles templatekw into instabilities Rename troubles template keyword into instabilities and add a deprecation warning on templatekw. Update default mapfile and test files to use the new template keyword. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D237

test-rebase: add a brute force test Rebase is becoming more complex and it looks like a good idea to try some brute force enumeration to cover cases that are hard to find manually. Using brute force to generate repos in different shapes and enumerating the rebase source and destination would generate too many cases that takes too long to compute. This patch limits the "brute force" to only the "rebase source" part. Repo and destination are still manual. The added test cases are crafted manually to reveal some behaviors that are not covered by other tests: - "revlog index out of range" crash - after rebase, p1 == p2, p2 != null - "nothing to merge" abort In the future we might want to add more tests here. For now I'm more interested in revealing interesting behaviors in a minified way. I tried some more complex cases but didn't find other interesting behaviors. Differential Revision: https://phab.mercurial-scm.org/D262

dirstate: simplify dirstate's __iter__ Probably also a performance win, but not measurable in perfdirstate. Differential Revision: https://phab.mercurial-scm.org/D269

repo: skip invalidation of changelog if it has 'delayed' changes (API) The changelog object can store recently added revisions in memory until the transaction is committed. We don't want to lose those changes even if repo.invalidate(clearfilecache=True), so let's skip the changelog when it has such 'delayed' changes. Differential Revision: https://phab.mercurial-scm.org/D152

httppeer: make several instance attributes internal (API) Peer instances are supposed to conform to a well-defined API so consumers can be agnostic about the underlying peer type. To reinforce this, this commit renames a handful of instance attributes on httpeer so they no longer have a "public" name. Differential Revision: https://phab.mercurial-scm.org/D268

httppeer: remove unused handler attribute The consumer of this attribute was removed by b6bd4ee6ed85 in 2008. Differential Revision: https://phab.mercurial-scm.org/D267

localrepo: remove unused requirements attributes on localpeer (API) The previous changeset removed the last consumer of requirements. I'm not sure when supportedformats became unused. But I couldn't find any obvious instances where it is being used. It likely stems from peers being derived from repository instances several years ago and is a holdover from that day. Differential Revision: https://phab.mercurial-scm.org/D266

exchange: access requirements on repo instead of peer As part of formalizing the peer interface, I audited for attribute accesses for non-internal names to find API violations. This uncovered the code changed in this commit. localpeer.requirements is just an alias to the repo's requirements attribute. So, change the code to get the data from the source instead of relying on a one-off attribute in the localpeer type. Differential Revision: https://phab.mercurial-scm.org/D265

exchange: drop support for lock-based unbundling (BC) Locking over the wire protocol and the "addchangegroup" wire protocol command has been deprecated since e8c4f3d3df8c, which was first part of Mercurial 0.9.1. Support for handling these commands from sshserver was dropped in 9f6e0e7ef828 in 2015, effectively locking out pre 0.9.1 clients from new servers. However, client-side code for calling lock and addchangegroup is still present in exchange.py and the various peer classes to facilitate pushing to pre 0.9.1 servers. The lock-based pushing mechanism is extremely brittle. 0.9.1 was released in July 2006 and I highly doubt anyone is still running such an ancient version of Mercurial on a server. I'm about to refactor the peer API and I don't think it is worth keeping support for this ancient protocol feature. So, this commit removes client support for the lock-based pushing mechanism. This means modern clients will no longer be able to push to pre 0.9.1 servers. Differential Revision: https://phab.mercurial-scm.org/D264

http: add a test of actually pushing with httppostargs This was previously untested. Sigh. Differential Revision: https://phab.mercurial-scm.org/D230

filemerge: move decorator definition for internal merge tools to registrar This patch also adds extra loading entry for internal merge tools to extensions.py, for similarity to other decorators defined in registrar.py. This patch uses "internalmerge" for decorator class name, instead of original "internaltool", because the latter is too generic. BTW, after this patch, 4-spaces indentation is added to the 1st line of internal merge tool description docstring, and this may make already translated entries in *.po fuzzy. Even though this indentation is required for "definition list" in reST syntax, absence of it has been overlooked, because help.makeitemsdoc() forcibly inserts it at generation of online help. But this forcible insertion causes formatting issue (I'll send another patch series for this). Therefore, this additional indentation should be reasonable.

releasenotes: add similarity check function to compare incoming notes It is possible that the incoming note fragments have some similar content as the existing release notes. In case of a bug fix, we match for issueNNNN in the existing notes. For other general cases, it makes use of fuzzywuzzy library to get a similarity score. If the score is above a certain threshold, we ignore the fragment, otherwise add it. But the score might be misleading for small commit messages. So, it uses similarity function only if the length of string (in words) is above a certain value. The patch adds tests related to its usage. But it needs improvement in the sense of combining incoming notes. We can use interactive mode for adding notes. Maybe we can do this if similarity is under a certain range.

releasenotes: add import check for fuzzywuzzy This patch adds the has_fuzzywuzzy for import check of external dependency fuzzywuzzy.

run-tests: don't drop optional lines after a missing unconditional line The previous behavior was to bail out when hitting 'awol', so 'missing (?)' was also dropped.

run-tests: drop required (feature !) style lines when the output is missing Essentially, these were acting as a verbose (?) flag, since they weren't being dropped when required. Foozy has a nice description [1]. Basically, a couple more places needed to check the features before treating it as optional. I don't like how test-run-tests.py had to be hacked, but _hghave() can't be made a static method. The test change was a change while developing `debugssl`, prior to tightening up the cases where the message is printed, that this fix would have caught. [1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-July/101941.html

status: avoid recursing into ignored directory with "--terse u" Let "isignoreddir" function first check that supplied directory is itself ignored before walking recursively into its content. Otherwise, the command is awfully slow when one has an ignored directory with a lot of content. Update and rephrase function docstring accordingly.

pushvars: move fb extension pushvars to core pushvars extension in fbext adds a --pushvars flag to push command using which one send strings to server which becomes environment variables there prepended with HG_USERVAR_. These variables can then be used to run hooks on the server. The extension is moved directly to core and unbundling of the strings and converting them to environment variables at server is disabled by default for security reasons. One can turn that on by following config: [push] pushvars.server = true This patch also adds the test for the extension. Differential Revision: https://phab.mercurial-scm.org/D210

phabricator: update diff property even if we choose not to create a new diff The diff property contains metadata like "HG Node". Previously we skip uploading a new diff if we are sure that the old patch and new patch have a same content. That has issues when a pusher adds an obsmarker using the old "HG Node" stored in the old diff. This patch adds logic to update the diff property so "HG Node" gets updated to prevent that issue. Differential Revision: https://phab.mercurial-scm.org/D229

phabricator: use Phabricator's last node information This makes it more strict when checking whether or not we should update a Differential Revision. For example, a) Alice updates D1 to content 1. b) Bob updates D1 to content 2. c) Alice tries to update D1 to content 1. Previously, `c)` will do nothing because `phabsend` detects the patch is not changed. A more correct behavior is to override Bob's update here, hence the patch. This also makes it possible to return a reaonsable "last node" when there is no tags but only `Differential Revision` commit messages. Test Plan: ``` for i in A B C; do echo $i > $i; hg ci -m $i -A $i; done hg phabsend 0:: # D40: created # D41: created # D42: created echo 3 >> C; hg amend; hg phabsend . # D42: updated hg tag --local --hidden -r 2 -f D42 # move tag to the previous version hg phabsend . # D42: skipped (previously it would be "updated") rm -rf .hg; hg init hg phabread --stack D42 | hg import - hg phabsend . # D42: updated hg tag --local --remove D42 hg commit --amend hg phabsend . # D42: updated (no new diff uploaded, previously it will upload a new diff) ``` The old diff object is now returned, which could be useful in the next patch. Differential Revision: https://phab.mercurial-scm.org/D121

phabricator: add --confirm option to phabsend command This adds a --confirm flag similar to the confirm flag of `hg email` using which one can confirm the changesets before they get emailed. The confirm flag will show the changesets and ask for confirmation before sending them. Differential Revision: https://phab.mercurial-scm.org/D218

evolution: rename bumped to phase-divergent Rename bumped to phase-divergent in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D216

evolution: rename divergent to content-divergent Rename divergent to content-divergent in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D215

py3: use bytes IO to write sample hgrc Unicode sucks. Stop using Text IO and manually convert line endings.

buildrpm: do not break in presence of custom user configs For example, if "hg log" was defined as an alias: # /etc/mercurial/hgrc [alias] log = log --graph the buildrpm script would be surprised by log messages formatted in unexpected ways, and bail out. This patch sets HGPLAIN, effectively resetting all the user configs, including log output, to a common state, making the build more predictable across all the possible environments.

sparse: treat paths as cwd-relative This commit makes it so sparse treats passed paths as CWD-relative, not repo-root-realive. This is a more intuitive behavior in my (and some other FB people's) opinion. This is breaking change however. My hope here is that since sparse is experimental, it's ok to introduce BCs. The reason (glob)s are needed in the test is this: in these two cases we do not supply path together with slashes, but `os.path.join` adds them, which means that under Windows they can be backslashes. To demonstrate this behavior, one could remove the (glob)s and run `./run-tests.py test-sparse.t` from MinGW's terminal on Windows.

match: expose some data and functionality to other modules This patch makes sure that other modules can check whether patterns are CWD-relative.

sparse: properly error out when absolute paths are used Current logic is misleading (it says it drops only absolute paths, but it actually drops all of them), not cross-platform (does not support Windows) and IMO just wrong (as it should just error out if absolute paths are given). This commit fixes it.

py3: convert arbitrary exception object to byte string more reliably Our exception types implement __bytes__(), which should be tried first. Do lossy encoding conversion as a last resort.

build: delay version computation on macOS builds The way HGVER is evaluated now, it'll be evaluated at the beginning of the make execution - with this change, it's evaluated when it gets to that command, at which point the version file it's looking for is sure to exist and be up-to-date. Differential Revision: https://phab.mercurial-scm.org/D224

color: remove warnings if term is not formatted (==dumb or !ui.formatted()) If the user sets color.mode=terminfo, and then runs in the shell inside of emacs (so TERM=dumb), the previous behavior was that it would warn about no terminfo entry for setab/setaf, and then warn about 'failed to set color mode to terminfo'. The first warning is silenced by carrying 'formatted' through to _terminfosetup, the second is silenced by using 'formatted' instead of ui.formatted(). If --color=on (or ui.color=always) is specified, this will still warn, since the formatted boolean is set to true in these cases. Differential Revision: https://phab.mercurial-scm.org/D223

rpms: add chg I'm not sure if there's a reason chg is not added by default. If not, I would like to propose adding in this patch. Differential Revision: https://phab.mercurial-scm.org/D220

tests: demonstrate crash when trying to rebase merge without its parents As the test case shows, when "hg rebase -d G -r 'B + D + F'" is run on the following graph, we crash with traceback. It's reasonable to fail because we can not easily produce a correct rebased F. The problem is what diff to apply to either the rebased B or the rebased D. We could potentially produce the result by e.g. applying the (F-D) diff to the rebased B and then applying the reverse (E-D) diff on top, but that could result in merge conflicts in each of those steps, which we don't have a way of dealing with. So for now, let's just add a test case to demonstrate that we crash (i.e. the AssertionError is clearly incorrect since the user can run into it). F /| C E | | B D G \|/ A Differential Revision: https://phab.mercurial-scm.org/D212

tests: demonstrate broken rebase of merge with p1's successor in dest The fix in 8ede973597fd (rebase: handle successor targets (issue5198), 2016-04-11) only fixed the case where p2's successor was in the destination, and only when the successor was exactly the destination (i.e. not when the successor was an ancestor of it). This patch adds a test case for when p1's successor is in the destination. It adds another one for when the successor is an ancestor of the destination. To do that simply, it also rewrites the test case using drawdag. Differential Revision: https://phab.mercurial-scm.org/D211

bundle2: obtain repr() of exception in a python3-safe way This was exposed by other problems in bundle generation, but I'm not sure how to test it for now.

bundle2: use bytestr() instead of str() to convert part id to bytes This was exposed by trying to run previously-passing Python 3 tests.

bundle2: work around zip() being lazy in Python 3

bundle2: look for __next__ as well as next to identify iterators In Python 3, next is called __next__ and this was failing to catch some iterators.

bundle2: use modern Python division This was failing on Python 3 because the / was returning a float, which was then making the __mul__ on a bytes sad.

changegroup: wrap some ** expansions in strkwargs

obsolete: reuse _fm1metapair for computing _fm1metapairsize It's evaluated at import time, so it seems silly to not reuse the constant name.

setup: fix installing in a mingw environment The addition, in 9a4adc76c88a, of a hack for the MSVC compiler class was overwriting the original class for the Mingw32CCompiler class, leading to an error when the HackedMingw32CCompiler is instantiated. Differential Revision: https://phab.mercurial-scm.org/D329

osx: delay version computation on macOS builds Before this patch, HGVER would be evaluated at the beginning of the make execution, and would be unset because build/mercurial/ doesn't exist yet at that point. Now we compute the version after the `make install` run has completed. This is backported to stable from 8626b44516c1, but that revision had an error in the shell invocation syntax.

evolution: rename unstable to orphan Rename unstable to orphan in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D214

evolution: rename trouble(s) to instability Rename trouble(s) to instability in all external user-facing output. Only update user-facing output for the moment, variables names, templates keyword and potentially configuration would be done in later series. The renaming is done according to https://www.mercurial-scm.org/wiki/CEDVocabulary. Differential Revision: https://phab.mercurial-scm.org/D213

bundle2: load hookargs from bundleoperation into transaction when started one When a transaction is started, we must load the hookargs from the bundleoperation object to the transaction so that they can be used in the transaction. Also this patch makes sure no more hookargs are added to the bundleoperation object once the transaction starts. This is a part of porting fb extension bundle2hooks to core. Differential Revision: https://phab.mercurial-scm.org/D209

bundle2: add the capability to store hookargs on bundle operation object There are extensions like pushrebase, pushvars which run hooks on a server before taking the lock. Since the lock is not taken, transaction is not there, so the hookargs can't be stored on the transaction. Adding hooksargs to bundle operation object will help in running hooks before taking the lock. This is a part of moving fb's extension bundle2hooks to core. Differential Revision: https://phab.mercurial-scm.org/D208

branchmap: revert c34532365b38 for Python 2.7 compatibility Old versions of python 2.7 don't like that the second argument to struct.unpack_from is a bytearray, so the change removing the util.buffer around that argument in branchmap broke running on older versions of python 2.7. Differential Revision: https://phab.mercurial-scm.org/D330

Added signature for changeset 3fee7f7d2da0

Added tag 4.3.1 for changeset 3fee7f7d2da0

ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.

ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.

subrepo: add tests for git rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

subrepo: add tests for svn rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

subrepo: add tests for hg rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

push: add tests for unsafe ssh url (SEC)

pull: add tests for unsafe ssh url (SEC)

clone: add tests for unsafe ssh url (SEC)

sshpeer: check for safe ssh url (SEC) Checking in the sshpeer for a rogue ssh:// urls seems like the right place to do it (instead of whack-a-mole with pull, clone, push, etc).

ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.

util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

pathauditor: disable cache of audited paths by default (issue5628) The initial attempt was to discard cache when appropriate, but it appears to be error prone. We had to carefully inspect all places where audit() is called e.g. without actually updating filesystem, before removing files and directories, etc. So, this patch disables the cache of audited paths by default, and enables it only for the following cases: - short-lived auditor objects - repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories and considered sort of append-only (a file/directory would never be replaced with a symlink) There would be more cacheable vfs objects (e.g. mq.queue.opener), but I decided not to inspect all of them in this patch. We can make them cached later. Benchmark result: - using old clone of http://selenic.com/repo/linux-2.6/ (38319 files) - on tmpfs - run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null - try 4 times and take the last three results original: real 7.480 secs (user 1.140+22.760 sys 0.150+1.690) real 8.010 secs (user 1.070+22.280 sys 0.170+2.120) real 7.470 secs (user 1.120+22.390 sys 0.120+1.910) clearcache (the other series): real 7.680 secs (user 1.120+23.420 sys 0.140+1.970) real 7.670 secs (user 1.110+23.620 sys 0.130+1.810) real 7.740 secs (user 1.090+23.510 sys 0.160+1.940) enable cache only for vfs and svfs (this series): real 8.730 secs (user 1.500+25.190 sys 0.260+2.260) real 8.750 secs (user 1.490+25.170 sys 0.250+2.340) real 9.010 secs (user 1.680+25.340 sys 0.280+2.540) remove cache function at all (for reference): real 9.620 secs (user 1.440+27.120 sys 0.250+2.980) real 9.420 secs (user 1.400+26.940 sys 0.320+3.130) real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)

tests: show cache of audited paths is never invalidated

stable: merge heads

Added signature for changeset 943c91326b23

Added tag 4.2.3 for changeset 943c91326b23

ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.

ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.

subrepo: add tests for git rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

subrepo: add tests for svn rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

subrepo: add tests for hg rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

push: add tests for unsafe ssh url (SEC)

pull: add tests for unsafe ssh url (SEC)

clone: add tests for unsafe ssh url (SEC)

sshpeer: check for safe ssh url (SEC) Checking in the sshpeer for a rogue ssh:// urls seems like the right place to do it (instead of whack-a-mole with pull, clone, push, etc).

ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.

util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

pathauditor: disable cache of audited paths by default (issue5628) The initial attempt was to discard cache when appropriate, but it appears to be error prone. We had to carefully inspect all places where audit() is called e.g. without actually updating filesystem, before removing files and directories, etc. So, this patch disables the cache of audited paths by default, and enables it only for the following cases: - short-lived auditor objects - repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories and considered sort of append-only (a file/directory would never be replaced with a symlink) There would be more cacheable vfs objects (e.g. mq.queue.opener), but I decided not to inspect all of them in this patch. We can make them cached later. Benchmark result: - using old clone of http://selenic.com/repo/linux-2.6/ (38319 files) - on tmpfs - run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null - try 4 times and take the last three results original: real 7.480 secs (user 1.140+22.760 sys 0.150+1.690) real 8.010 secs (user 1.070+22.280 sys 0.170+2.120) real 7.470 secs (user 1.120+22.390 sys 0.120+1.910) clearcache (the other series): real 7.680 secs (user 1.120+23.420 sys 0.140+1.970) real 7.670 secs (user 1.110+23.620 sys 0.130+1.810) real 7.740 secs (user 1.090+23.510 sys 0.160+1.940) enable cache only for vfs and svfs (this series): real 8.730 secs (user 1.500+25.190 sys 0.260+2.260) real 8.750 secs (user 1.490+25.170 sys 0.250+2.340) real 9.010 secs (user 1.680+25.340 sys 0.280+2.540) remove cache function at all (for reference): real 9.620 secs (user 1.440+27.120 sys 0.250+2.980) real 9.420 secs (user 1.400+26.940 sys 0.320+3.130) real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)

tests: show cache of audited paths is never invalidated