Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/subrepo.py @ 41315:6c10eba6b9cd stable
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Tue, 08 Jan 2019 22:07:45 +0900 |
| parents | 9199548525fc |
| children | 83377b4b4ae0 |
comparison
equal
deleted
inserted
replaced
| 41314:31286c9282df | 41315:6c10eba6b9cd |
|---|---|
| 401 super(hgsubrepo, self).__init__(ctx, path) | 401 super(hgsubrepo, self).__init__(ctx, path) |
| 402 self._state = state | 402 self._state = state |
| 403 r = ctx.repo() | 403 r = ctx.repo() |
| 404 root = r.wjoin(path) | 404 root = r.wjoin(path) |
| 405 create = allowcreate and not r.wvfs.exists('%s/.hg' % path) | 405 create = allowcreate and not r.wvfs.exists('%s/.hg' % path) |
| 406 # repository constructor does expand variables in path, which is | |
| 407 # unsafe since subrepo path might come from untrusted source. | |
| 408 if os.path.realpath(util.expandpath(root)) != root: | |
| 409 raise error.Abort(_('subrepo path contains illegal component: %s') | |
| 410 % path) | |
| 406 self._repo = hg.repository(r.baseui, root, create=create) | 411 self._repo = hg.repository(r.baseui, root, create=create) |
| 412 if self._repo.root != root: | |
| 413 raise error.ProgrammingError('failed to reject unsafe subrepo ' | |
| 414 'path: %s (expanded to %s)' | |
| 415 % (root, self._repo.root)) | |
| 407 | 416 |
| 408 # Propagate the parent's --hidden option | 417 # Propagate the parent's --hidden option |
| 409 if r is r.unfiltered(): | 418 if r is r.unfiltered(): |
| 410 self._repo = self._repo.unfiltered() | 419 self._repo = self._repo.unfiltered() |
| 411 | 420 |