Mercurial > public > mercurial-scm > hg
comparison mercurial/sshpeer.py @ 33659:8cb9e921ef8c stable
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
| author | Jun Wu <quark@fb.com> |
|---|---|
| date | Fri, 04 Aug 2017 23:54:12 -0700 |
| parents | d7a1c4c1181d |
| children | 02a745c20121 1908dc958639 |
comparison
equal
deleted
inserted
replaced
| 33658:db83a1df03fe | 33659:8cb9e921ef8c |
|---|---|
| 149 self.path = u.path or "." | 149 self.path = u.path or "." |
| 150 | 150 |
| 151 sshcmd = self.ui.config("ui", "ssh") | 151 sshcmd = self.ui.config("ui", "ssh") |
| 152 remotecmd = self.ui.config("ui", "remotecmd") | 152 remotecmd = self.ui.config("ui", "remotecmd") |
| 153 | 153 |
| 154 args = util.sshargs(sshcmd, | 154 args = util.sshargs(sshcmd, self.host, self.user, self.port) |
| 155 _serverquote(self.host), | |
| 156 _serverquote(self.user), | |
| 157 _serverquote(self.port)) | |
| 158 | 155 |
| 159 if create: | 156 if create: |
| 160 cmd = '%s %s %s' % (sshcmd, args, | 157 cmd = '%s %s %s' % (sshcmd, args, |
| 161 util.shellquote("%s init %s" % | 158 util.shellquote("%s init %s" % |
| 162 (_serverquote(remotecmd), _serverquote(self.path)))) | 159 (_serverquote(remotecmd), _serverquote(self.path)))) |