Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/sshpeer.py @ 33641:00a75672a9cb stable
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
| author | Jun Wu <quark@fb.com> |
|---|---|
| date | Fri, 04 Aug 2017 23:54:12 -0700 |
| parents | f93975a5ebe8 |
| children |
comparison
equal
deleted
inserted
replaced
| 33640:ca398a50ca00 | 33641:00a75672a9cb |
|---|---|
| 148 self.path = u.path or "." | 148 self.path = u.path or "." |
| 149 | 149 |
| 150 sshcmd = self.ui.config("ui", "ssh", "ssh") | 150 sshcmd = self.ui.config("ui", "ssh", "ssh") |
| 151 remotecmd = self.ui.config("ui", "remotecmd", "hg") | 151 remotecmd = self.ui.config("ui", "remotecmd", "hg") |
| 152 | 152 |
| 153 args = util.sshargs(sshcmd, | 153 args = util.sshargs(sshcmd, self.host, self.user, self.port) |
| 154 _serverquote(self.host), | |
| 155 _serverquote(self.user), | |
| 156 _serverquote(self.port)) | |
| 157 | 154 |
| 158 if create: | 155 if create: |
| 159 cmd = '%s %s %s' % (sshcmd, args, | 156 cmd = '%s %s %s' % (sshcmd, args, |
| 160 util.shellquote("%s init %s" % | 157 util.shellquote("%s init %s" % |
| 161 (_serverquote(remotecmd), _serverquote(self.path)))) | 158 (_serverquote(remotecmd), _serverquote(self.path)))) |