##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)...
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.
Gregory Szorc - - Load All Authors

File last commit:

r28653:1eb0bd8a default
r28658:34d43cb8 stable
Show More
sslutil.py
206 lines | 8.4 KiB | text/x-python | PythonLexer
/ mercurial / sslutil.py
History | Source | Raw |Copy content |Copy permalink
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 # sslutil.py - SSL handling for mercurial
#
# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
Gregory Szorc
sslutil: use absolute_import
 r25977
from __future__ import absolute_import
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204
Gregory Szorc
sslutil: use absolute_import
 r25977 import os
import ssl
import sys
from .i18n import _
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 from . import error, util
Yuya Nishihara
ssl: load CA certificates from system's store by default on Python 2.7.9...
 r24291
Gregory Szorc
sslutil: expose attribute indicating whether SNI is supported...
 r26622 hassni = getattr(ssl, 'HAS_SNI', False)
Yuya Nishihara
ssl: load CA certificates from system's store by default on Python 2.7.9...
 r24291 _canloaddefaultcerts = False
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 try:
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 ssl_context = ssl.SSLContext
_canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
Alex Orange
https: support tls sni (server name indication) for https urls (issue3090)...
 r23834
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
# Allow any version of SSL starting with TLSv1 and
# up. Note that specifying TLSv1 here prohibits use of
# newer standards (like TLSv1_2), so this is the right way
# to do this. Note that in the future it'd be better to
# support using ssl.create_default_context(), which sets
# up a bunch of things in smart ways (strong ciphers,
# protocol versions, etc) and is upgraded by Python
# maintainers for us, but that breaks too many things to
# do it in a hurry.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Gábor Stefanik
sslutil: fix reversed logic (issue5034)
 r27688 sslcontext.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 if certfile is not None:
def password():
f = keyfile or certfile
return ui.getpass(_('passphrase for %s: ') % f, '')
sslcontext.load_cert_chain(certfile, keyfile, password)
sslcontext.verify_mode = cert_reqs
if ca_certs is not None:
sslcontext.load_verify_locations(cafile=ca_certs)
elif _canloaddefaultcerts:
sslcontext.load_default_certs()
Alex Orange
https: support tls sni (server name indication) for https urls (issue3090)...
 r23834
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
# check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('ssl connection failed'))
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 return sslsocket
except AttributeError:
def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
cert_reqs=cert_reqs, ca_certs=ca_certs,
ssl_version=ssl.PROTOCOL_TLSv1)
# check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('ssl connection failed'))
Yuya Nishihara
ssl: drop try-except clause that was necessary for ancient Python
 r25431 return sslsocket
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204
def _verifycert(cert, hostname):
'''Verify that cert (in socket.getpeercert() format) matches hostname.
CRLs is not handled.
Returns error message if any problems are found and None on success.
'''
if not cert:
return _('no certificate received')
dnsname = hostname.lower()
def matchdnsname(certname):
return (certname == dnsname or
'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
san = cert.get('subjectAltName', [])
if san:
certnames = [value.lower() for key, value in san if key == 'DNS']
for name in certnames:
if matchdnsname(name):
return None
Nicolas Bareil
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)...
 r14666 if certnames:
return _('certificate is for %s') % ', '.join(certnames)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204
# subject is only checked when subjectAltName is empty
for s in cert.get('subject', []):
key, value = s[0]
if key == 'commonName':
try:
# 'subject' entries are unicode
certname = value.lower().encode('ascii')
except UnicodeEncodeError:
return _('IDN in certificate not supported')
if matchdnsname(certname):
return None
return _('certificate is for %s') % certname
return _('no commonName or subjectAltName found in certificate')
# CERT_REQUIRED means fetch the cert from the server all the time AND
# validate it against the CA store provided in web.cacerts.
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
 r23042 def _plainapplepython():
"""return true if this seems to be a pure Apple Python that
* is unfrozen and presumably has the whole mercurial module in the file
system
* presumably is an Apple Python that uses Apple OpenSSL which has patches
for using system certificate store CAs in addition to the provided
cacerts file
"""
Yuya Nishihara
ssl: resolve symlink before checking for Apple python executable (issue4588)...
 r24614 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
 r23042 return False
Yuya Nishihara
ssl: resolve symlink before checking for Apple python executable (issue4588)...
 r24614 exe = os.path.realpath(sys.executable).lower()
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
 r23042 return (exe.startswith('/usr/bin/python') or
exe.startswith('/system/library/frameworks/python.framework/'))
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
 r24288 def _defaultcacerts():
Yuya Nishihara
ssl: load CA certificates from system's store by default on Python 2.7.9...
 r24291 """return path to CA certificates; None for system's store; ! to disable"""
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
 r24288 if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):
return dummycert
Yuya Nishihara
ssl: load CA certificates from system's store by default on Python 2.7.9...
 r24291 if _canloaddefaultcerts:
return None
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 return '!'
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
 r24288
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 def sslkwargs(ui, host):
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 kws = {'ui': ui}
Mads Kiilerich
ssl: refactor sslkwargs - move things around a bit, preparing for next change
 r22574 hostfingerprint = ui.config('hostfingerprints', host)
if hostfingerprint:
return kws
cacerts = ui.config('web', 'cacerts')
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 if cacerts == '!':
pass
elif cacerts:
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 cacerts = util.expandpath(cacerts)
if not os.path.exists(cacerts):
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 else:
cacerts = _defaultcacerts()
if cacerts and cacerts != '!':
ui.debug('using %s to enable OS X system CA\n' % cacerts)
ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
if cacerts != '!':
Augie Fackler
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)...
 r19806 kws.update({'ca_certs': cacerts,
Yuya Nishihara
ssl: remove CERT_REQUIRED constant that was necessary for compatibility
 r25432 'cert_reqs': ssl.CERT_REQUIRED,
Augie Fackler
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)...
 r19806 })
return kws
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204
class validator(object):
def __init__(self, ui, host):
self.ui = ui
self.host = host
FUJIWARA Katsunori
sslutil: abort if peer certificate is not verified for secure use...
 r18887 def __call__(self, sock, strict=False):
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 host = self.host
cacerts = self.ui.config('web', 'cacerts')
hostfingerprint = self.ui.config('hostfingerprints', host)
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
 r18879
Mads Kiilerich
sslutil: work around validator crash getting certificate on failed sockets...
 r15816 if not sock.cipher(): # work around http://bugs.python.org/issue13721
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('%s ssl connection error') % host)
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
 r18879 try:
peercert = sock.getpeercert(True)
peercert2 = sock.getpeercert()
except AttributeError:
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('%s ssl connection error') % host)
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
 r18879
Mads Kiilerich
sslutil: abort properly if no certificate received for https connection...
 r15817 if not peercert:
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('%s certificate error: '
Mads Kiilerich
sslutil: abort properly if no certificate received for https connection...
 r15817 'no certificate received') % host)
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('certificate for %s has unexpected '
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 self.ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 elif cacerts != '!':
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
 r18879 msg = _verifycert(peercert2, host)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 if msg:
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('%s certificate error: %s') % (host, msg),
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 hint=_('configure hostfingerprint %s or use '
'--insecure to connect insecurely') %
nicefingerprint)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 self.ui.debug('%s certificate successfully verified\n' % host)
FUJIWARA Katsunori
sslutil: abort if peer certificate is not verified for secure use...
 r18887 elif strict:
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
 r26587 raise error.Abort(_('%s certificate with fingerprint %s not '
FUJIWARA Katsunori
sslutil: abort if peer certificate is not verified for secure use...
 r18887 'verified') % (host, nicefingerprint),
hint=_('check hostfingerprints or web.cacerts '
'config setting'))
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 else:
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
(host, nicefingerprint))