upstream/mercurial-mirror Files · tests/test-serve.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Matt Mackall - - Load All Authors

File last commit:

r25472:4d2b9b30 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-serve.t
        
                    81 lines
            
             | 1.8 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-serve.t
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Matt Mackall
    
tests: replace exit 80 with #require

              r22046
            
      #require serve

        Patrick Mezard
    
tests: convert test-serve to new format

              r13540
            
        $ hgserve()

        > {

        >    hg serve -a localhost -d --pid-file=hg.pid -E errors.log -v $@ \

        >        | sed -e "s/:$HGPORT1\\([^0-9]\\)/:HGPORT1\1/g" \

        >              -e "s/:$HGPORT2\\([^0-9]\\)/:HGPORT2\1/g" \

        >              -e 's/http:\/\/[^/]*\//http:\/\/localhost\//'

        >    cat hg.pid >> "$DAEMON_PIDS"

        >    echo % errors

        >    cat errors.log

        Matt Mackall
    
tests: drop explicit $TESTDIR from executables...

              r25472
            
        >    killdaemons.py hg.pid

        Patrick Mezard
    
tests: convert test-serve to new format

              r13540
            
        > }

        $ hg init test

        $ cd test

        $ echo '[web]' > .hg/hgrc

        $ echo 'accesslog = access.log' >> .hg/hgrc

        $ echo "port = $HGPORT1" >> .hg/hgrc

      Without -v

        $ hg serve -a localhost -p $HGPORT -d --pid-file=hg.pid -E errors.log

        $ cat hg.pid >> "$DAEMON_PIDS"

        $ if [ -f access.log ]; then

        Mads Kiilerich
    
tests: fix incorrect markup of continued lines of sh commands

              r16487
            
        >     echo 'access log created - .hg/hgrc respected'

        > fi

        Patrick Mezard
    
tests: convert test-serve to new format

              r13540
            
        access log created - .hg/hgrc respected

      errors

        $ cat errors.log

      With -v

        $ hgserve

        listening at http://localhost/ (bound to 127.0.0.1:HGPORT1)

        % errors

      With -v and -p HGPORT2

        $ hgserve -p "$HGPORT2"

        listening at http://localhost/ (bound to 127.0.0.1:HGPORT2)

        % errors

      With -v and -p daytime (should fail because low port)

        Matt Mackall
    
tests: skip tests that require not having root (issue4089)...

              r20008
            
      #if no-root

        Patrick Mezard
    
tests: convert test-serve to new format

              r13540
            
        $ KILLQUIETLY=Y

        $ hgserve -p daytime

        abort: cannot start server at 'localhost:13': Permission denied

        abort: child process failed to start

        % errors

        $ KILLQUIETLY=N

        Matt Mackall
    
tests: skip tests that require not having root (issue4089)...

              r20008
            
      #endif

        Patrick Mezard
    
tests: convert test-serve to new format

              r13540
            
      With --prefix foo

        $ hgserve --prefix foo

        listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)

        % errors

      With --prefix /foo

        $ hgserve --prefix /foo

        listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)

        % errors

      With --prefix foo/

        $ hgserve --prefix foo/

        listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)

        % errors

      With --prefix /foo/

        $ hgserve --prefix /foo/

        listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)

        % errors

        Mads Kiilerich
    
tests: add missing trailing 'cd ..'...

              r16913
            
        $ cd ..

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Matt Mackall tests: replace exit 80 with #require	r22046	#require serve
Patrick Mezard tests: convert test-serve to new format	r13540
		$ hgserve()
		> {
		> hg serve -a localhost -d --pid-file=hg.pid -E errors.log -v $@ \
		> \| sed -e "s/:$HGPORT1\\([^0-9]\\)/:HGPORT1\1/g" \
		> -e "s/:$HGPORT2\\([^0-9]\\)/:HGPORT2\1/g" \
		> -e 's/http:\/\/[^/]*\//http:\/\/localhost\//'
		> cat hg.pid >> "$DAEMON_PIDS"
		> echo % errors
		> cat errors.log
Matt Mackall tests: drop explicit $TESTDIR from executables...	r25472	> killdaemons.py hg.pid
Patrick Mezard tests: convert test-serve to new format	r13540	> }

		$ hg init test
		$ cd test
		$ echo '[web]' > .hg/hgrc
		$ echo 'accesslog = access.log' >> .hg/hgrc
		$ echo "port = $HGPORT1" >> .hg/hgrc

		Without -v

		$ hg serve -a localhost -p $HGPORT -d --pid-file=hg.pid -E errors.log
		$ cat hg.pid >> "$DAEMON_PIDS"
		$ if [ -f access.log ]; then
Mads Kiilerich tests: fix incorrect markup of continued lines of sh commands	r16487	> echo 'access log created - .hg/hgrc respected'
		> fi
Patrick Mezard tests: convert test-serve to new format	r13540	access log created - .hg/hgrc respected

		errors

		$ cat errors.log

		With -v

		$ hgserve
		listening at http://localhost/ (bound to 127.0.0.1:HGPORT1)
		% errors

		With -v and -p HGPORT2

		$ hgserve -p "$HGPORT2"
		listening at http://localhost/ (bound to 127.0.0.1:HGPORT2)
		% errors

		With -v and -p daytime (should fail because low port)

Matt Mackall tests: skip tests that require not having root (issue4089)...	r20008	#if no-root
Patrick Mezard tests: convert test-serve to new format	r13540	$ KILLQUIETLY=Y
		$ hgserve -p daytime
		abort: cannot start server at 'localhost:13': Permission denied
		abort: child process failed to start
		% errors
		$ KILLQUIETLY=N
Matt Mackall tests: skip tests that require not having root (issue4089)...	r20008	#endif
Patrick Mezard tests: convert test-serve to new format	r13540
		With --prefix foo

		$ hgserve --prefix foo
		listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)
		% errors

		With --prefix /foo

		$ hgserve --prefix /foo
		listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)
		% errors

		With --prefix foo/

		$ hgserve --prefix foo/
		listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)
		% errors

		With --prefix /foo/

		$ hgserve --prefix /foo/
		listening at http://localhost/foo/ (bound to 127.0.0.1:HGPORT1)
		% errors
Mads Kiilerich tests: add missing trailing 'cd ..'...	r16913
		$ cd ..