Mercurial > public > mercurial-scm > hg-stable

diff mercurial/subrepo.py @ 41316:83377b4b4ae0 stable 4.9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
subrepo: reject potentially unsafe subrepo paths (BC) (SEC) In addition to the previous patch, this prohibits '~', '$nonexistent', etc. for any subrepo types. I think this is safer, and real-world subrepos wouldn't use such (local) paths.
author Yuya Nishihara <yuya@tcha.org>
date Tue, 08 Jan 2019 22:19:36 +0900
parents 6c10eba6b9cd
children 87a6e3c953e0 13a6dd952ffe
line wrap: on
line diff
--- a/mercurial/subrepo.py	Tue Jan 08 22:07:45 2019 +0900
+++ b/mercurial/subrepo.py	Tue Jan 08 22:19:36 2019 +0900
@@ -115,6 +115,10 @@
                 vfs.unlink(vfs.reljoin(dirname, f))
 
 def _auditsubrepopath(repo, path):
+    # sanity check for potentially unsafe paths such as '~' and '$FOO'
+    if path.startswith('~') or '$' in path or util.expandpath(path) != path:
+        raise error.Abort(_('subrepo path contains illegal component: %s')
+                          % path)
     # auditor doesn't check if the path itself is a symlink
     pathutil.pathauditor(repo.root)(path)
     if repo.wvfs.islink(path):