Tue, 22 Mar 2016 17:27:27 -0700 convert: test for shell injection in git calls (SEC) stable 3.7.3
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:27:27 -0700] rev 28663
convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.
Tue, 22 Mar 2016 17:05:11 -0700 convert: rewrite gitpipe to use common.commandline (SEC) stable
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28662
convert: rewrite gitpipe to use common.commandline (SEC) CVE-2016-3069 (4/5)
Tue, 22 Mar 2016 17:05:11 -0700 convert: dead code removal - old git calling functions (SEC) stable
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28661
convert: dead code removal - old git calling functions (SEC) CVE-2016-3069 (3/5)
Tue, 22 Mar 2016 17:05:11 -0700 convert: rewrite calls to Git to use the new shelling mechanism (SEC) stable
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28660
convert: rewrite calls to Git to use the new shelling mechanism (SEC) CVE-2016-3069 (2/5) One test output changed because we were ignoring git return code in numcommits before.
Tue, 22 Mar 2016 17:05:11 -0700 convert: add new, non-clowny interface for shelling out to git (SEC) stable
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28659
convert: add new, non-clowny interface for shelling out to git (SEC) CVE-2016-3069 (1/5) To avoid shell injection and for the sake of simplicity let's use the common.commandline for calling git.
Sun, 20 Mar 2016 21:52:21 -0700 subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) stable
Mateusz Kwapich <mitrandir@fb.com> [Sun, 20 Mar 2016 21:52:21 -0700] rev 28658
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.
Wed, 16 Mar 2016 17:30:26 -0700 parsers: detect short records (SEC) stable
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:30:26 -0700] rev 28657
parsers: detect short records (SEC) CVE-2016-3630 (2/2) This addresses part of a vulnerability in binary delta application.
Wed, 16 Mar 2016 17:29:29 -0700 parsers: fix list sizing rounding error (SEC) stable
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:29:29 -0700] rev 28656
parsers: fix list sizing rounding error (SEC) CVE-2016-3630 (1/2) This addresses part of a vulnerability in application of binary deltas.
Mon, 28 Mar 2016 17:16:00 -0500 merge with stable
Matt Mackall <mpm@selenic.com> [Mon, 28 Mar 2016 17:16:00 -0500] rev 28655
merge with stable
Mon, 28 Mar 2016 09:12:03 +0200 debugsetparents: remove redundant invocations of begin/endparentchange
liscju <piotr.listkiewicz@gmail.com> [Mon, 28 Mar 2016 09:12:03 +0200] rev 28654
debugsetparents: remove redundant invocations of begin/endparentchange Method localrepo.setparents invokes begin/endparentchange internally, so there is no need to invoke it explicitly in debugsetparents.
Sun, 27 Mar 2016 13:13:19 -0700 sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 13:13:19 -0700] rev 28653
sslutil: add docstring to wrapsocket() Security should not be opaque.
Sun, 27 Mar 2016 11:39:39 -0700 sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 11:39:39 -0700] rev 28652
sslutil: remove indentation in wrapsocket declaration It is no longer needed because we have a single code path.
Sun, 27 Mar 2016 14:18:32 -0700 sslutil: always use SSLContext
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:18:32 -0700] rev 28651
sslutil: always use SSLContext Now that we have a fake SSLContext instance, we can unify the code paths for wrapping sockets to always use the SSLContext APIs. Because this is security code, I've retained the try..except to make the diff easier to read. It will be removed in the next patch. I took the liberty of updating the inline docs about supported protocols and how the constants work because this stuff is important and needs to be explicitly documented.
Sun, 27 Mar 2016 14:08:52 -0700 sslutil: move _canloaddefaultcerts logic
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:08:52 -0700] rev 28650
sslutil: move _canloaddefaultcerts logic We now have a newer block accessing SSLContext. Let's move this code to make subsequent refactorings of the former block easier.
Sun, 27 Mar 2016 13:50:34 -0700 sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 13:50:34 -0700] rev 28649
sslutil: implement SSLContext class Python <2.7.9 doesn't have a ssl.SSLContext class. In this patch, we implement the interface to the class so we can have a unified code path for all supported versions of Python. This is similar to the approach that urllib3 takes.
Sun, 27 Mar 2016 10:47:24 -0700 sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 10:47:24 -0700] rev 28648
sslutil: store OP_NO_SSL* constants in module scope An upcoming patch will introduce a global SSLContext type so we have a single function used to wrap sockets. Prepare for that by introducing module level constants for disabling SSLv2 and SSLv3.
Sun, 27 Mar 2016 14:07:06 -0700 sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:07:06 -0700] rev 28647
sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly.
Mon, 28 Mar 2016 01:57:44 +0530 tests: make tinyproxy.py use print_function
Pulkit Goyal <7895pulkit@gmail.com> [Mon, 28 Mar 2016 01:57:44 +0530] rev 28646
tests: make tinyproxy.py use print_function
Mon, 28 Mar 2016 04:02:07 +0000 run-tests: use canonpath for with-python3
timeless <timeless@mozdev.org> [Mon, 28 Mar 2016 04:02:07 +0000] rev 28645
run-tests: use canonpath for with-python3
Mon, 28 Mar 2016 04:01:21 +0000 run-tests: add canonpath function
timeless <timeless@mozdev.org> [Mon, 28 Mar 2016 04:01:21 +0000] rev 28644
run-tests: add canonpath function consistently use realpath+expanduser
Mon, 28 Mar 2016 03:40:30 +0000 tests: glob py3 line numbers
timeless <timeless@mozdev.org> [Mon, 28 Mar 2016 03:40:30 +0000] rev 28643
tests: glob py3 line numbers Since not everyone is running py3.5 and code changes periodically, avoid pinning line numbers for invalid syntax errors.
Mon, 28 Mar 2016 03:35:08 +0000 tests: update py3.5 output
timeless <timeless@mozdev.org> [Mon, 28 Mar 2016 03:35:08 +0000] rev 28642
tests: update py3.5 output 6d7da0901a28 removed one item...
Thu, 17 Mar 2016 14:50:29 +0000 summary: move mergemod before parents to give access to ms
timeless <timeless@mozdev.org> [Thu, 17 Mar 2016 14:50:29 +0000] rev 28641
summary: move mergemod before parents to give access to ms
Thu, 17 Mar 2016 00:36:01 +0000 filemerge: use revset notation for p1/p2 of local/other descriptions
timeless <timeless@mozdev.org> [Thu, 17 Mar 2016 00:36:01 +0000] rev 28640
filemerge: use revset notation for p1/p2 of local/other descriptions
(0) -10000 -3000 -1000 -300 -100 -50 -24 +24 +50 +100 +300 +1000 +3000 +10000 tip