Mercurial > public > mercurial-scm > hg
comparison mercurial/subrepo.py @ 41458:83377b4b4ae0 stable 4.9
subrepo: reject potentially unsafe subrepo paths (BC) (SEC)
In addition to the previous patch, this prohibits '~', '$nonexistent', etc.
for any subrepo types. I think this is safer, and real-world subrepos wouldn't
use such (local) paths.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Tue, 08 Jan 2019 22:19:36 +0900 |
| parents | 6c10eba6b9cd |
| children | 13a6dd952ffe 87a6e3c953e0 |
comparison
equal
deleted
inserted
replaced
| 41457:6c10eba6b9cd | 41458:83377b4b4ae0 |
|---|---|
| 113 ui.warn(_("warning: removing potentially hostile 'hgrc' " | 113 ui.warn(_("warning: removing potentially hostile 'hgrc' " |
| 114 "in '%s'\n") % vfs.join(dirname)) | 114 "in '%s'\n") % vfs.join(dirname)) |
| 115 vfs.unlink(vfs.reljoin(dirname, f)) | 115 vfs.unlink(vfs.reljoin(dirname, f)) |
| 116 | 116 |
| 117 def _auditsubrepopath(repo, path): | 117 def _auditsubrepopath(repo, path): |
| 118 # sanity check for potentially unsafe paths such as '~' and '$FOO' | |
| 119 if path.startswith('~') or '$' in path or util.expandpath(path) != path: | |
| 120 raise error.Abort(_('subrepo path contains illegal component: %s') | |
| 121 % path) | |
| 118 # auditor doesn't check if the path itself is a symlink | 122 # auditor doesn't check if the path itself is a symlink |
| 119 pathutil.pathauditor(repo.root)(path) | 123 pathutil.pathauditor(repo.root)(path) |
| 120 if repo.wvfs.islink(path): | 124 if repo.wvfs.islink(path): |
| 121 raise error.Abort(_("subrepo '%s' traverses symbolic link") % path) | 125 raise error.Abort(_("subrepo '%s' traverses symbolic link") % path) |
| 122 | 126 |