Mercurial > public > mercurial-scm > hg-stable

diff mercurial/posix.py @ 33641:00a75672a9cb stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.
author Jun Wu <quark@fb.com>
date Fri, 04 Aug 2017 23:54:12 -0700
parents e10745311406
children
line wrap: on
line diff
--- a/mercurial/posix.py	Mon Jul 31 14:55:11 2017 -0700
+++ b/mercurial/posix.py	Fri Aug 04 23:54:12 2017 -0700
@@ -92,10 +92,13 @@
 def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh'''
     args = user and ("%s@%s" % (user, host)) or host
-    if '-' in args[:2]:
+    if '-' in args[:1]:
         raise error.Abort(
             _('illegal ssh hostname or username starting with -: %s') % args)
-    return port and ("%s -p %s" % (args, port)) or args
+    args = shellquote(args)
+    if port:
+        args = '-p %s %s' % (shellquote(port), args)
+    return args
 
 def isexec(f):
     """check whether a file is executable"""