Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/subrepo.py @ 33656:db83a1df03fe stable
subrepo: add tests for git rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
| author | Sean Farley <sean@farley.io> |
|---|---|
| date | Mon, 31 Jul 2017 14:55:11 -0700 |
| parents | 60ee7af2a2ba |
| children | d5b2beca16c0 |
comparison
equal
deleted
inserted
replaced
| 33655:60ee7af2a2ba | 33656:db83a1df03fe |
|---|---|
| 1548 self._subsource = source | 1548 self._subsource = source |
| 1549 return _abssource(self) | 1549 return _abssource(self) |
| 1550 | 1550 |
| 1551 def _fetch(self, source, revision): | 1551 def _fetch(self, source, revision): |
| 1552 if self._gitmissing(): | 1552 if self._gitmissing(): |
| 1553 # SEC: check for safe ssh url | |
| 1554 util.checksafessh(source) | |
| 1555 | |
| 1553 source = self._abssource(source) | 1556 source = self._abssource(source) |
| 1554 self.ui.status(_('cloning subrepo %s from %s\n') % | 1557 self.ui.status(_('cloning subrepo %s from %s\n') % |
| 1555 (self._relpath, source)) | 1558 (self._relpath, source)) |
| 1556 self._gitnodir(['clone', source, self._abspath]) | 1559 self._gitnodir(['clone', source, self._abspath]) |
| 1557 if self._githavelocally(revision): | 1560 if self._githavelocally(revision): |