Mercurial > hg
changeset 33638:92b583e3e522 stable
pull: add tests for unsafe ssh url (SEC)
author | Sean Farley <sean@farley.io> |
---|---|
date | Fri, 28 Jul 2017 16:47:32 -0700 |
parents | f9134e96ed0f |
children | 08cfc4baf3ba |
files | tests/test-pull.t |
diffstat | 1 files changed, 19 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/tests/test-pull.t Fri Jul 28 16:36:36 2017 -0700 +++ b/tests/test-pull.t Fri Jul 28 16:47:32 2017 -0700 @@ -105,4 +105,23 @@ $ URL=`$PYTHON -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"` $ hg pull -q "$URL" +SEC: check for unsafe ssh url + + $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path' + pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg pull 'ssh://%2DoProxyCommand=touch${IFS}owned/path' + pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg pull 'ssh://fakehost|shellcommand/path' + pulling from ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255] + $ hg pull 'ssh://fakehost%7Cshellcommand/path' + pulling from ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255] + $ cd ..