Mercurial > public > mercurial-scm > hg-stable

diff mercurial/mail.py @ 43021:2cc453284d5c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patchbomb: protect email addresses from shell When patchbomb sends email via a sendmail-like program it invokes this using procutil.popen which passes the string to a shell to be parsed. To protect any special characters in the email addresses on the command line from being interpretered by the shell they must be quoted.
author Floris Bruynooghe <flub@google.com>
date Mon, 30 Sep 2019 00:01:58 +0200
parents 9b3be572ff0c
children 2372284d9457
line wrap: on
line diff
--- a/mercurial/mail.py	Sun Sep 29 11:29:25 2019 -0700
+++ b/mercurial/mail.py	Mon Sep 30 00:01:58 2019 +0200
@@ -152,7 +152,8 @@
 def _sendmail(ui, sender, recipients, msg):
     '''send mail using sendmail.'''
     program = ui.config('email', 'method')
-    stremail = lambda x: stringutil.email(encoding.strtolocal(x))
+    stremail = lambda x: (
+        procutil.quote(stringutil.email(encoding.strtolocal(x))))
     cmdline = '%s -f %s %s' % (program, stremail(sender),
                                ' '.join(map(stremail, recipients)))
     ui.note(_('sending mail: %s\n') % cmdline)