Mercurial > hg

changeset 39532:55eea29833d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
narrow: validate patterns returned by expandnarrow Remotes could supply malicious or invalid patterns. We should validate them as soon as possible. Differential Revision: https://phab.mercurial-scm.org/D4523
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 11 Sep 2018 10:36:07 -0700
parents 0d572769046a
children f6bcb4f9cd3c
files hgext/narrow/narrowcommands.py
diffstat 1 files changed, 9 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/hgext/narrow/narrowcommands.py	Tue Sep 11 15:25:35 2018 -0700
+++ b/hgext/narrow/narrowcommands.py	Tue Sep 11 10:36:07 2018 -0700
@@ -71,7 +71,15 @@
         includepats, excludepats, heads)
     pullop.repo.ui.debug('Expanded narrowspec to inc=%s, exc=%s\n' % (
         includepats, excludepats))
-    return set(includepats), set(excludepats)
+
+    includepats = set(includepats)
+    excludepats = set(excludepats)
+
+    # Nefarious remote could supply unsafe patterns. Validate them.
+    narrowspec.validatepatterns(includepats)
+    narrowspec.validatepatterns(excludepats)
+
+    return includepats, excludepats
 
 def clonenarrowcmd(orig, ui, repo, *args, **opts):
     """Wraps clone command, so 'hg clone' first wraps localrepo.clone()."""