--- a/hglib/client.py	Mon Feb 12 14:54:09 2018 +0100
+++ b/hglib/client.py	Wed Apr 25 21:27:02 2018 +0900
@@ -183,6 +183,8 @@
         if not self.server:
             raise ValueError("server not connected")
 
+        if any(b('\0') in a for a in args):
+            raise ValueError('null character in command arguments')
         self.server.stdin.write(b('runcommand\n'))
         writeblock(b('\0').join(args))
 

--- a/tests/test-commit.py	Mon Feb 12 14:54:09 2018 +0100
+++ b/tests/test-commit.py	Wed Apr 25 21:27:02 2018 +0900
@@ -60,3 +60,8 @@
         self.assertEquals(now, self.client.tip().date)
         self.assertNotEquals(node0, node1)
         self.assertEqual(1, len(self.client.log()))
+
+    def test_nul_injection(self):
+        self.append('a', 'a')
+        self.assertRaises(ValueError, lambda: self.client.commit(b('fail\0-A')))
+        self.assertEqual(0, len(self.client.log()))