Mercurial Mercurial > hg / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
convert: pass absolute paths to git (SEC) stable 3.8.1
authorBlake Burkhart <bburky@bburky.com>
Wed, 06 Apr 2016 22:57:46 -0500
branchstable
changeset 29051 a56296f55a5e
parent 29050 27ad6cae7785
child 29052 3cdd33ae295b
convert: pass absolute paths to git (SEC) Fixes CVE-2016-3105 (1/1). Previously, it was possible for the repository path passed to git-ls-remote to be misinterpreted as a URL. Always passing an absolute path to git is a simple way to avoid this.
hgext/convert/git.py file | annotate | diff | comparison | revisions
tests/test-convert-git.t file | annotate | diff | comparison | revisions
tests/test-convert.t file | annotate | diff | comparison | revisions 
--- a/hgext/convert/git.py	Sun May 01 13:52:26 2016 -0500
+++ b/hgext/convert/git.py	Wed Apr 06 22:57:46 2016 -0500
@@ -57,6 +57,10 @@
         super(convert_git, self).__init__(ui, path, revs=revs)
         common.commandline.__init__(self, ui, 'git')
 
+        # Pass an absolute path to git to prevent from ever being interpreted
+        # as a URL
+        path = os.path.abspath(path)
+
         if os.path.isdir(path + "/.git"):
             path += "/.git"
         if not os.path.exists(path + "/objects"):
--- a/tests/test-convert-git.t	Sun May 01 13:52:26 2016 -0500
+++ b/tests/test-convert-git.t	Wed Apr 06 22:57:46 2016 -0500
@@ -714,7 +714,7 @@
   $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd
   $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp
   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'
-  abort: cannot retrieve number of commits in git-repo4/.git
+  abort: cannot retrieve number of commits in $TESTTMP/git-repo4/.git
   $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ
 damage git repository by renaming a blob object
 
@@ -749,5 +749,22 @@
   $ test -f COMMAND-INJECTION
   [1]
 
+test for safely passing paths to git (CVE-2016-3105)
+
+  $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
+  Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/
+  $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
+  $ git commit -q --allow-empty -m 'empty'
+  $ cd ..
+  $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
+  initializing destination converted-git-ext repository
+  scanning source...
+  sorting...
+  converting...
+  0 empty
+  updating bookmarks
+  $ test -f GIT-EXT-COMMAND-INJECTION
+  [1]
+
 #endif
 
--- a/tests/test-convert.t	Sun May 01 13:52:26 2016 -0500
+++ b/tests/test-convert.t	Wed Apr 06 22:57:46 2016 -0500
@@ -422,7 +422,7 @@
   assuming destination emptydir-hg
   initializing destination emptydir-hg repository
   emptydir does not look like a CVS checkout
-  emptydir does not look like a Git repository
+  $TESTTMP/emptydir does not look like a Git repository
   emptydir does not look like a Subversion repository
   emptydir is not a local Mercurial repository
   emptydir does not look like a darcs repository
Mercurial