Mercurial > public > mercurial-scm > hg
diff tests/test-subrepo.t @ 33660:3fee7f7d2da0 stable 4.3.1
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Mon, 07 Aug 2017 22:22:28 +0900 |
| parents | 475af2f89636 |
| children | eb586ed5d8ce |
line wrap: on
line diff
--- a/tests/test-subrepo.t Fri Aug 04 23:54:12 2017 -0700 +++ b/tests/test-subrepo.t Mon Aug 07 22:22:28 2017 +0900 @@ -1792,6 +1792,11 @@ test for ssh exploit 2017-07-25 + $ cat >> $HGRCPATH << EOF + > [ui] + > ssh = sh -c "read l; read l; read l" + > EOF + $ hg init malicious-proxycommand $ cd malicious-proxycommand $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub @@ -1825,26 +1830,28 @@ also check for a pipe $ cd malicious-proxycommand - $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub + $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub $ hg ci -m 'change url to pipe' $ cd .. $ rm -r malicious-proxycommand-clone $ hg clone malicious-proxycommand malicious-proxycommand-clone updating to branch default - abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") + abort: no suitable response from remote hg! [255] + $ [ ! -f owned ] || echo 'you got owned' also check that a percent encoded '|' (%7C) doesn't work $ cd malicious-proxycommand - $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub + $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub $ hg ci -m 'change url to percent encoded pipe' $ cd .. $ rm -r malicious-proxycommand-clone $ hg clone malicious-proxycommand malicious-proxycommand-clone updating to branch default - abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") + abort: no suitable response from remote hg! [255] + $ [ ! -f owned ] || echo 'you got owned' and bad usernames: $ cd malicious-proxycommand