Mercurial > hg

changeset 7559:016a7319e76b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge with -stable
author Matt Mackall <mpm@selenic.com>
date Wed, 31 Dec 2008 18:00:35 -0600
parents dc211ad8d681 (current diff) f03562400824 (diff)
children e05aa73ce2b7
files mercurial/util.py
diffstat 6 files changed, 49 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/.hgsigs	Wed Dec 31 17:59:58 2008 -0600
+++ b/.hgsigs	Wed Dec 31 18:00:35 2008 -0600
@@ -9,3 +9,4 @@
 d2375bbee6d47e62ba8e415c86e83a465dc4dce9 0 iD8DBQBIo1wpywK+sNU5EO8RAmRNAJ94x3OFt6blbqu/yBoypm/AJ44fuACfUaldXcV5z9tht97hSp22DVTEPGc=
 2a67430f92f15ea5159c26b09ec4839a0c549a26 0 iEYEABECAAYFAkk1hykACgkQywK+sNU5EO85QACeNJNUanjc2tl4wUoPHNuv+lSj0ZMAoIm93wSTc/feyYnO2YCaQ1iyd9Nu
 3773e510d433969e277b1863c317b674cbee2065 0 iEYEABECAAYFAklNbbAACgkQywK+sNU5EO8o+gCfeb2/lfIJZMvyDA1m+G1CsBAxfFsAoIa6iAMG8SBY7hW1Q85Yf/LXEvaE
+11a4eb81fb4f4742451591489e2797dc47903277 0 iEYEABECAAYFAklcAnsACgkQywK+sNU5EO+uXwCbBVHNNsLy1g7BlAyQJwadYVyHOXoAoKvtAVO71+bv7EbVoukwTzT+P4Sx
--- a/.hgtags	Wed Dec 31 17:59:58 2008 -0600
+++ b/.hgtags	Wed Dec 31 18:00:35 2008 -0600
@@ -21,3 +21,4 @@
 d2375bbee6d47e62ba8e415c86e83a465dc4dce9 1.0.2
 2a67430f92f15ea5159c26b09ec4839a0c549a26 1.1
 3773e510d433969e277b1863c317b674cbee2065 1.1.1
+11a4eb81fb4f4742451591489e2797dc47903277 1.1.2
--- a/mercurial/util.py	Wed Dec 31 17:59:58 2008 -0600
+++ b/mercurial/util.py	Wed Dec 31 18:00:35 2008 -0600
@@ -814,9 +814,15 @@
             return
         normpath = os.path.normcase(path)
         parts = splitpath(normpath)
-        if (os.path.splitdrive(path)[0] or parts[0] in ('.hg', '')
+        if (os.path.splitdrive(path)[0] or parts[0] in ('.hg', '.hg.', '')
             or os.pardir in parts):
             raise Abort(_("path contains illegal component: %s") % path)
+        if '.hg' in path:
+            for p in '.hg', '.hg.':
+                if p in parts[1:-1]:
+                    pos = parts.index(p)
+                    base = os.path.join(*parts[:pos])
+                    raise Abort(_('path %r is inside repo %r') % (path, base))
         def check(prefix):
             curpath = os.path.join(self.root, prefix)
             try:
Binary file tests/tampered.hg has changed
--- a/tests/test-audit-path	Wed Dec 31 17:59:58 2008 -0600
+++ b/tests/test-audit-path	Wed Dec 31 18:00:35 2008 -0600
@@ -20,4 +20,25 @@
 echo % should still fail - maybe
 hg add b/b
 
+echo % unbundle tampered bundle
+hg init target
+cd target
+hg unbundle $TESTDIR/tampered.hg
+
+echo % attack .hg/test
+hg manifest -r0
+hg update -Cr0
+
+echo % attack foo/.hg/test
+hg manifest -r1
+hg update -Cr1
+
+echo % attack back/test where back symlinks to ..
+hg manifest -r2
+hg update -Cr2
+
+echo % attack ../test
+hg manifest -r3
+hg update -Cr3
+
 exit 0
--- a/tests/test-audit-path.out	Wed Dec 31 17:59:58 2008 -0600
+++ b/tests/test-audit-path.out	Wed Dec 31 18:00:35 2008 -0600
@@ -6,3 +6,22 @@
 % should succeed
 % should still fail - maybe
 abort: path 'b/b' traverses symbolic link 'b'
+% unbundle tampered bundle
+adding changesets
+adding manifests
+adding file changes
+added 4 changesets with 5 changes to 5 files (+3 heads)
+(run 'hg heads' to see heads, 'hg merge' to merge)
+% attack .hg/test
+.hg/test
+abort: path contains illegal component: .hg/test
+% attack foo/.hg/test
+foo/.hg/test
+abort: path 'foo/.hg/test' is inside repo 'foo'
+% attack back/test where back symlinks to ..
+back
+back/test
+abort: path 'back/test' traverses symbolic link 'back'
+% attack ../test
+../test
+abort: path contains illegal component: ../test