# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 2017-08-04 18:00:03
# Node ID 739cc0f9cbb4f39d47ab6c6b80db81fc46f61d8d
# Parent  0b3fe3910ef5566c858bd5decb5783a873ce7d4a

ssh: ban any username@host or host that starts with - (SEC)

This paranoia probably isn't required, but it can't hurt either.

diff --git a/mercurial/posix.py b/mercurial/posix.py
--- a/mercurial/posix.py
+++ b/mercurial/posix.py
@@ -23,6 +23,7 @@ import unicodedata
 from .i18n import _
 from . import (
     encoding,
+    error,
     pycompat,
 )
 
@@ -91,6 +92,9 @@ def parsepatchoutput(output_line):
 def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh'''
     args = user and ("%s@%s" % (user, host)) or host
+    if '-' in args[:2]:
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with -: %s') % args)
     return port and ("%s -p %s" % (args, port)) or args
 
 def isexec(f):
diff --git a/mercurial/windows.py b/mercurial/windows.py
--- a/mercurial/windows.py
+++ b/mercurial/windows.py
@@ -17,6 +17,7 @@ import sys
 from .i18n import _
 from . import (
     encoding,
+    error,
     policy,
     pycompat,
     win32,
@@ -203,6 +204,10 @@ def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh or Plink'''
     pflag = 'plink' in sshcmd.lower() and '-P' or '-p'
     args = user and ("%s@%s" % (user, host)) or host
+    if args.startswith('-') or args.startswith('/'):
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with - or /: %s') %
+            args)
     return port and ("%s %s %s" % (args, pflag, port)) or args
 
 def setflags(f, l, x):