changeset 13817:7f18bab2c0b0

url: abort on file:// URLs with non-localhost hosts
author Brodie Rao <brodie@bitheap.org>
date Wed, 30 Mar 2011 20:01:31 -0700
parents 2540f8087e02
children bf6156bab41b
files mercurial/url.py tests/test-pull.t tests/test-url.py
diffstat 3 files changed, 16 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/url.py	Wed Mar 30 20:00:24 2011 -0700
+++ b/mercurial/url.py	Wed Mar 30 20:01:31 2011 -0700
@@ -140,6 +140,11 @@
                 self.host, self.port = self.host.rsplit(':', 1)
                 if not self.host:
                     self.host = None
+
+            if (self.host and self.scheme == 'file' and
+                self.host not in ('localhost', '127.0.0.1', '[::1]')):
+                raise util.Abort(_('file:// URLs can only refer to localhost'))
+
         self.path = path
 
         for a in ('user', 'passwd', 'host', 'port',
--- a/tests/test-pull.t	Wed Mar 30 20:00:24 2011 -0700
+++ b/tests/test-pull.t	Wed Mar 30 20:01:31 2011 -0700
@@ -78,4 +78,8 @@
 
   $ URL=`python -c "import os; print 'file://foobar' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`
   $ hg pull -q "$URL"
+  abort: file:// URLs can only refer to localhost
+  [255]
 
+  $ URL=`python -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`
+  $ hg pull -q "$URL"
--- a/tests/test-url.py	Wed Mar 30 20:00:24 2011 -0700
+++ b/tests/test-url.py	Wed Mar 30 20:01:31 2011 -0700
@@ -158,6 +158,13 @@
     >>> url('/x///z/y/')
     <url path: '/x///z/y/'>
 
+    Non-localhost file URL:
+
+    >>> u = url('file://mercurial.selenic.com/foo')
+    Traceback (most recent call last):
+      File "<stdin>", line 1, in ?
+    Abort: file:// URLs can only refer to localhost
+
     Empty URL:
 
     >>> u = url('')