# HG changeset patch # User Pierre-Yves David # Date 1624497723 -7200 # Node ID 65c519661991f6073eef93cc24a809ae14bf4761 # Parent 25d36300ba8e13dcec9ba7dfc3f10fa1be4b3c44 stream: double check that self.vfs is *not* in the vfsmap The stream clone logic allows for writing any content to any file under various vfs. This is *not* suitable for *vfs*, since writing in `.hg/` directly allow to modify the configuration and is a great and simple gateway for remote code execution. Differential Revision: https://phab.mercurial-scm.org/D10905 diff -r 25d36300ba8e -r 65c519661991 mercurial/streamclone.py --- a/mercurial/streamclone.py Wed Jun 30 14:17:28 2021 +0200 +++ b/mercurial/streamclone.py Thu Jun 24 03:22:03 2021 +0200 @@ -560,6 +560,16 @@ def _emit2(repo, entries, totalfilesize): """actually emit the stream bundle""" vfsmap = _makemap(repo) + # we keep repo.vfs out of the on purpose, ther are too many danger there + # (eg: .hg/hgrc), + # + # this assert is duplicated (from _makemap) as author might think this is + # fine, while this is really not fine. + if repo.vfs in vfsmap.values(): + raise error.ProgrammingError( + b'repo.vfs must not be added to vfsmap for security reasons' + ) + progress = repo.ui.makeprogress( _(b'bundle'), total=totalfilesize, unit=_(b'bytes') ) @@ -685,6 +695,15 @@ progress.update(0) vfsmap = _makemap(repo) + # we keep repo.vfs out of the on purpose, ther are too many danger + # there (eg: .hg/hgrc), + # + # this assert is duplicated (from _makemap) as author might think this + # is fine, while this is really not fine. + if repo.vfs in vfsmap.values(): + raise error.ProgrammingError( + b'repo.vfs must not be added to vfsmap for security reasons' + ) with repo.transaction(b'clone'): ctxs = (vfs.backgroundclosing(repo.ui) for vfs in vfsmap.values())