upstream/mercurial-mirror Files · mercurial/help/urls.txt

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)...

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.

Mike Williams - - Load All Authors

File last commit:

r19197:01d68fb0 stable


                r28658:34d43cb8

stable

Download file

             urls.txt
        
                    66 lines
            
             | 2.3 KiB
            
                | text/plain
            
             |
                TextLexer

/ mercurial / help / urls.txt

History | Source | Raw |Copy content |Copy permalink

Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999	Valid URLs are of the form::

		local/filesystem/path[#revision]
Mads Kiilerich help: Backed out changeset e99facd2cd2a, description of file urls...	r15533	file://local/filesystem/path[#revision]
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999	http://[user[:pass]@]host[:port]/[path][#revision]
		https://[user[:pass]@]host[:port]/[path][#revision]
Matt Mackall help: ssh urls don't allow passwords	r13304	ssh://[user@]host[:port]/[path][#revision]
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
		Paths in the local filesystem can either point to Mercurial
Mike Williams help: stop documentation markup appearing in generated help...	r19197	repositories or to bundle files (as created by :hg:`bundle` or
		:hg:`incoming --bundle`). See also :hg:`help paths`.
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
		An optional identifier after # indicates a particular branch, tag, or
Martin Geisler Use hg role in help strings	r10973	changeset to use from the remote repository. See also :hg:`help
		revisions`.
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
		Some features, such as pushing to http:// and https:// URLs are only
		possible if the feature is explicitly enabled on the remote Mercurial
		server.

Mads Kiilerich doc: clarify that https cert verification requires web.cacerts	r12593	Note that the security of HTTPS URLs depends on proper configuration of
		web.cacerts.

Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999	Some notes about using SSH with Mercurial:

		- SSH requires an accessible shell account on the destination machine
		and a copy of hg in the remote path or specified with as remotecmd.
		- path is relative to the remote user's home directory by default. Use
		an extra slash at the start of a path to specify an absolute path::

		ssh://example.com//tmp/repository

		- Mercurial doesn't use its own compression via SSH; the right thing
		to do is to configure it in your ~/.ssh/config, e.g.::

		Host *.mylocalnetwork.example.com
		Compression no
		Host *
		Compression yes

Brodie Rao help: refer to user configuration file more consistently...	r12083	Alternatively specify "ssh -C" as your ssh command in your
		configuration file or with the --ssh command line option.
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
Brodie Rao help: refer to user configuration file more consistently...	r12083	These URLs can all be stored in your configuration file with path
		aliases under the [paths] section like so::
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
		[paths]
		alias1 = URL1
		alias2 = URL2
		...

		You can then use the alias for any command that uses a URL (for
Martin Geisler Use hg role in help strings	r10973	example :hg:`pull alias1` will be treated as :hg:`pull URL1`).
Dan Villiom Podlaski Christiansen setup: install translation files as package data...	r9999
		Two path aliases are special because they are used as defaults when
		you do not provide the URL to a command:

		default:
		When you create a repository with hg clone, the clone command saves
		the location of the source repository as the new repository's
		'default' path. This is then used when you omit path from push- and
		pull-like commands (including incoming and outgoing).

		default-push:
		The push command will look for a path named 'default-push', and
		prefer it over 'default' if both are defined.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages