Mercurial > public > mercurial-scm > hg
diff tests/test-convert-git.t @ 29051:a56296f55a5e stable 3.8.1
convert: pass absolute paths to git (SEC)
Fixes CVE-2016-3105 (1/1).
Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.
Always passing an absolute path to git is a simple way to avoid this.
| author | Blake Burkhart <bburky@bburky.com> |
|---|---|
| date | Wed, 06 Apr 2016 22:57:46 -0500 |
| parents | 4a359b8f8fae |
| children | ea3540e66fd8 |
line wrap: on
line diff
--- a/tests/test-convert-git.t Sun May 01 13:52:26 2016 -0500 +++ b/tests/test-convert-git.t Wed Apr 06 22:57:46 2016 -0500 @@ -714,7 +714,7 @@ $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:' - abort: cannot retrieve number of commits in git-repo4/.git + abort: cannot retrieve number of commits in $TESTTMP/git-repo4/.git $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ damage git repository by renaming a blob object @@ -749,5 +749,22 @@ $ test -f COMMAND-INJECTION [1] +test for safely passing paths to git (CVE-2016-3105) + + $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' + Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/ + $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' + $ git commit -q --allow-empty -m 'empty' + $ cd .. + $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext' + initializing destination converted-git-ext repository + scanning source... + sorting... + converting... + 0 empty + updating bookmarks + $ test -f GIT-EXT-COMMAND-INJECTION + [1] + #endif