Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/util.py @ 33658:3fee7f7d2da0 stable 4.3.1
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Mon, 07 Aug 2017 22:22:28 +0900 |
| parents | 60ee7af2a2ba |
| children | 02a745c20121 |
comparison
equal
deleted
inserted
replaced
| 33657:8cb9e921ef8c | 33658:3fee7f7d2da0 |
|---|---|
| 2903 user. | 2903 user. |
| 2904 | 2904 |
| 2905 Raises an error.Abort when the url is unsafe. | 2905 Raises an error.Abort when the url is unsafe. |
| 2906 """ | 2906 """ |
| 2907 path = urlreq.unquote(path) | 2907 path = urlreq.unquote(path) |
| 2908 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-') | 2908 if path.startswith('ssh://-') or path.startswith('svn+ssh://-'): |
| 2909 or '|' in path): | |
| 2910 raise error.Abort(_('potentially unsafe url: %r') % | 2909 raise error.Abort(_('potentially unsafe url: %r') % |
| 2911 (path,)) | 2910 (path,)) |
| 2912 | 2911 |
| 2913 def hidepassword(u): | 2912 def hidepassword(u): |
| 2914 '''hide user credential in a url string''' | 2913 '''hide user credential in a url string''' |