Mercurial > public > mercurial-scm > hg-stable

diff mercurial/posix.py @ 33649:739cc0f9cbb4 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.
author Augie Fackler <augie@google.com>
date Fri, 04 Aug 2017 14:00:03 -0400
parents c2cb0de25120
children 8cb9e921ef8c
line wrap: on
line diff
--- a/mercurial/posix.py	Fri Jul 28 16:32:25 2017 -0700
+++ b/mercurial/posix.py	Fri Aug 04 14:00:03 2017 -0400
@@ -23,6 +23,7 @@
 from .i18n import _
 from . import (
     encoding,
+    error,
     pycompat,
 )
 
@@ -91,6 +92,9 @@
 def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh'''
     args = user and ("%s@%s" % (user, host)) or host
+    if '-' in args[:2]:
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with -: %s') % args)
     return port and ("%s -p %s" % (args, port)) or args
 
 def isexec(f):