ssh: ban any username@host or host that starts with - (SEC)
This paranoia probably isn't required, but it can't hurt either.
--- a/mercurial/posix.py Fri Jul 28 16:32:25 2017 -0700
+++ b/mercurial/posix.py Fri Aug 04 14:00:03 2017 -0400
@@ -23,6 +23,7 @@
from .i18n import _
from . import (
encoding,
+ error,
pycompat,
)
@@ -91,6 +92,9 @@
def sshargs(sshcmd, host, user, port):
'''Build argument list for ssh'''
args = user and ("%s@%s" % (user, host)) or host
+ if '-' in args[:2]:
+ raise error.Abort(
+ _('illegal ssh hostname or username starting with -: %s') % args)
return port and ("%s -p %s" % (args, port)) or args
def isexec(f):
--- a/mercurial/windows.py Fri Jul 28 16:32:25 2017 -0700
+++ b/mercurial/windows.py Fri Aug 04 14:00:03 2017 -0400
@@ -17,6 +17,7 @@
from .i18n import _
from . import (
encoding,
+ error,
osutil,
pycompat,
win32,
@@ -199,6 +200,10 @@
'''Build argument list for ssh or Plink'''
pflag = 'plink' in sshcmd.lower() and '-P' or '-p'
args = user and ("%s@%s" % (user, host)) or host
+ if args.startswith('-') or args.startswith('/'):
+ raise error.Abort(
+ _('illegal ssh hostname or username starting with - or /: %s') %
+ args)
return port and ("%s %s %s" % (args, pflag, port)) or args
def setflags(f, l, x):