Mercurial > public > mercurial-scm > hg
comparison mercurial/posix.py @ 33643:00a75672a9cb stable
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
| author | Jun Wu <quark@fb.com> |
|---|---|
| date | Fri, 04 Aug 2017 23:54:12 -0700 |
| parents | e10745311406 |
| children |
comparison
equal
deleted
inserted
replaced
| 33642:ca398a50ca00 | 33643:00a75672a9cb |
|---|---|
| 90 return pf | 90 return pf |
| 91 | 91 |
| 92 def sshargs(sshcmd, host, user, port): | 92 def sshargs(sshcmd, host, user, port): |
| 93 '''Build argument list for ssh''' | 93 '''Build argument list for ssh''' |
| 94 args = user and ("%s@%s" % (user, host)) or host | 94 args = user and ("%s@%s" % (user, host)) or host |
| 95 if '-' in args[:2]: | 95 if '-' in args[:1]: |
| 96 raise error.Abort( | 96 raise error.Abort( |
| 97 _('illegal ssh hostname or username starting with -: %s') % args) | 97 _('illegal ssh hostname or username starting with -: %s') % args) |
| 98 return port and ("%s -p %s" % (args, port)) or args | 98 args = shellquote(args) |
| 99 if port: | |
| 100 args = '-p %s %s' % (shellquote(port), args) | |
| 101 return args | |
| 99 | 102 |
| 100 def isexec(f): | 103 def isexec(f): |
| 101 """check whether a file is executable""" | 104 """check whether a file is executable""" |
| 102 return (os.lstat(f).st_mode & 0o100 != 0) | 105 return (os.lstat(f).st_mode & 0o100 != 0) |
| 103 | 106 |