Mercurial > hg
changeset 47502:65c519661991 stable
stream: double check that self.vfs is *not* in the vfsmap
The stream clone logic allows for writing any content to any file under various
vfs. This is *not* suitable for *vfs*, since writing in `.hg/` directly allow to
modify the configuration and is a great and simple gateway for remote code
execution.
Differential Revision: https://phab.mercurial-scm.org/D10905
| author | Pierre-Yves David <pierre-yves.david@octobus.net> |
|---|---|
| date | Thu, 24 Jun 2021 03:22:03 +0200 |
| parents | 25d36300ba8e |
| children | bd0a2a919bf8 |
| files | mercurial/streamclone.py |
| diffstat | 1 files changed, 19 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/streamclone.py Wed Jun 30 14:17:28 2021 +0200 +++ b/mercurial/streamclone.py Thu Jun 24 03:22:03 2021 +0200 @@ -560,6 +560,16 @@ def _emit2(repo, entries, totalfilesize): """actually emit the stream bundle""" vfsmap = _makemap(repo) + # we keep repo.vfs out of the on purpose, ther are too many danger there + # (eg: .hg/hgrc), + # + # this assert is duplicated (from _makemap) as author might think this is + # fine, while this is really not fine. + if repo.vfs in vfsmap.values(): + raise error.ProgrammingError( + b'repo.vfs must not be added to vfsmap for security reasons' + ) + progress = repo.ui.makeprogress( _(b'bundle'), total=totalfilesize, unit=_(b'bytes') ) @@ -685,6 +695,15 @@ progress.update(0) vfsmap = _makemap(repo) + # we keep repo.vfs out of the on purpose, ther are too many danger + # there (eg: .hg/hgrc), + # + # this assert is duplicated (from _makemap) as author might think this + # is fine, while this is really not fine. + if repo.vfs in vfsmap.values(): + raise error.ProgrammingError( + b'repo.vfs must not be added to vfsmap for security reasons' + ) with repo.transaction(b'clone'): ctxs = (vfs.backgroundclosing(repo.ui) for vfs in vfsmap.values())