Mercurial > hg
changeset 33636:f93975a5ebe8 stable
sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
author | Sean Farley <sean@farley.io> |
---|---|
date | Tue, 01 Aug 2017 14:40:19 -0700 |
parents | e10745311406 |
children | f9134e96ed0f |
files | mercurial/sshpeer.py |
diffstat | 1 files changed, 2 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sshpeer.py Fri Aug 04 14:00:03 2017 -0400 +++ b/mercurial/sshpeer.py Tue Aug 01 14:40:19 2017 -0700 @@ -138,6 +138,8 @@ if u.scheme != 'ssh' or not u.host or u.path is None: self._abort(error.RepoError(_("couldn't parse location %s") % path)) + util.checksafessh(path) + self.user = u.user if u.passwd is not None: self._abort(error.RepoError(_("password in URL not supported")))