upstream/mercurial-mirror Files · mercurial/help/diffs.txt

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)...

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.

Brodie Rao - - Load All Authors

File last commit:

r12083:ebfc4692 stable


                r28658:34d43cb8

stable

Download file

             diffs.txt
        
                    29 lines
            
             | 1.3 KiB
            
                | text/plain
            
             |
                TextLexer

/ mercurial / help / diffs.txt

History | Source | Raw |Copy content |Copy permalink

Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999	Mercurial's default format for showing changes between two versions of
		a file is compatible with the unified format of GNU diff, which can be
		used by GNU patch and many other standard tools.

		While this standard format is often enough, it does not encode the
		following information:

		- executable status and other permission bits
		- copy or rename information
		- changes in binary files
		- creation or deletion of empty files

		Mercurial also supports the extended diff format from the git VCS
		which addresses these limitations. The git diff format is not produced
		by default because a few widespread tools still do not understand this
		format.

		This means that when generating diffs from a Mercurial repository
Martin Geisler Use hg role in help strings	r10973	(e.g. with :hg:`export`), you should be careful about things like file
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999	copies and renames or other things mentioned above, because when
		applying a standard diff to a different repository, this extra
		information is lost. Mercurial's internal operations (like push and
		pull) are not affected by this, because they use an internal binary
		format for communicating changes.

		To make Mercurial produce the git extended diff format, use the --git
		option available for many commands, or set 'git = True' in the [diff]
Brodie Rao help: refer to user configuration file more consistently...	r12083	section of your configuration file. You do not need to set this option
		when importing diffs in this format or using them in the mq extension.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages