diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py
--- a/mercurial/subrepo.py	Tue Jan 08 22:07:45 2019 +0900
+++ b/mercurial/subrepo.py	Tue Jan 08 22:19:36 2019 +0900
@@ -115,6 +115,10 @@
                 vfs.unlink(vfs.reljoin(dirname, f))
 
 def _auditsubrepopath(repo, path):
+    # sanity check for potentially unsafe paths such as '~' and '$FOO'
+    if path.startswith('~') or '$' in path or util.expandpath(path) != path:
+        raise error.Abort(_('subrepo path contains illegal component: %s')
+                          % path)
     # auditor doesn't check if the path itself is a symlink
     pathutil.pathauditor(repo.root)(path)
     if repo.wvfs.islink(path):