Thu, 10 Aug 2017 14:14:49 -0400 Added signature for changeset 943c91326b23 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:49 -0400] rev 33646
Added signature for changeset 943c91326b23
Thu, 10 Aug 2017 14:14:48 -0400 Added tag 4.2.3 for changeset 943c91326b23 stable
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:48 -0400] rev 33645
Added tag 4.2.3 for changeset 943c91326b23
Mon, 07 Aug 2017 22:22:28 +0900 ssh: unban the use of pipe character in user@host:port string stable 4.2.3
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33644
ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.
Fri, 04 Aug 2017 23:54:12 -0700 ssh: quote parameters using shellquote (SEC) stable
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33643
ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.
Mon, 31 Jul 2017 14:55:11 -0700 subrepo: add tests for git rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33642
subrepo: add tests for git rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:44:17 -0700 subrepo: add tests for svn rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33641
subrepo: add tests for svn rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 16:04:44 -0700 subrepo: add tests for hg rogue ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33640
subrepo: add tests for hg rogue ssh urls (SEC) 'ssh://' has an exploit that will pass the url blindly to the ssh command, allowing a malicious person to have a subrepo with '-oProxyCommand' which could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' is able to execute arbitrary commands. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Mon, 31 Jul 2017 14:40:28 -0700 push: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33639
push: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:47:32 -0700 pull: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33638
pull: add tests for unsafe ssh url (SEC)
Fri, 28 Jul 2017 16:36:36 -0700 clone: add tests for unsafe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33637
clone: add tests for unsafe ssh url (SEC)
Tue, 01 Aug 2017 14:40:19 -0700 sshpeer: check for safe ssh url (SEC) stable
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33636
sshpeer: check for safe ssh url (SEC) Checking in the sshpeer for a rogue ssh:// urls seems like the right place to do it (instead of whack-a-mole with pull, clone, push, etc).
Fri, 04 Aug 2017 14:00:03 -0400 ssh: ban any username@host or host that starts with - (SEC) stable
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33635
ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.
Fri, 28 Jul 2017 16:32:25 -0700 util: add utility method to check for bad ssh urls (SEC) stable
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:32:25 -0700] rev 33634
util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.
Wed, 26 Jul 2017 22:10:15 +0900 pathauditor: disable cache of audited paths by default (issue5628) stable
Yuya Nishihara <yuya@tcha.org> [Wed, 26 Jul 2017 22:10:15 +0900] rev 33633
pathauditor: disable cache of audited paths by default (issue5628) The initial attempt was to discard cache when appropriate, but it appears to be error prone. We had to carefully inspect all places where audit() is called e.g. without actually updating filesystem, before removing files and directories, etc. So, this patch disables the cache of audited paths by default, and enables it only for the following cases: - short-lived auditor objects - repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories and considered sort of append-only (a file/directory would never be replaced with a symlink) There would be more cacheable vfs objects (e.g. mq.queue.opener), but I decided not to inspect all of them in this patch. We can make them cached later. Benchmark result: - using old clone of http://selenic.com/repo/linux-2.6/ (38319 files) - on tmpfs - run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null - try 4 times and take the last three results original: real 7.480 secs (user 1.140+22.760 sys 0.150+1.690) real 8.010 secs (user 1.070+22.280 sys 0.170+2.120) real 7.470 secs (user 1.120+22.390 sys 0.120+1.910) clearcache (the other series): real 7.680 secs (user 1.120+23.420 sys 0.140+1.970) real 7.670 secs (user 1.110+23.620 sys 0.130+1.810) real 7.740 secs (user 1.090+23.510 sys 0.160+1.940) enable cache only for vfs and svfs (this series): real 8.730 secs (user 1.500+25.190 sys 0.260+2.260) real 8.750 secs (user 1.490+25.170 sys 0.250+2.340) real 9.010 secs (user 1.680+25.340 sys 0.280+2.540) remove cache function at all (for reference): real 9.620 secs (user 1.440+27.120 sys 0.250+2.980) real 9.420 secs (user 1.400+26.940 sys 0.320+3.130) real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)
Tue, 01 Aug 2017 21:03:25 +0900 tests: show cache of audited paths is never invalidated stable
Yuya Nishihara <yuya@tcha.org> [Tue, 01 Aug 2017 21:03:25 +0900] rev 33632
tests: show cache of audited paths is never invalidated
(0) -30000 -10000 -3000 -1000 -300 -100 -15 +15 +100 +300 +1000 +3000 +10000 tip