# HG changeset patch # User Brodie Rao # Date 2011-03-31 03:01:31 # Node ID 7f18bab2c0b0db634aa001a02ac7b7d68ad6fc3d # Parent 2540f8087e020a3fdc1e6f05f91b8edac972ab5d url: abort on file:// URLs with non-localhost hosts diff --git a/mercurial/url.py b/mercurial/url.py --- a/mercurial/url.py +++ b/mercurial/url.py @@ -140,6 +140,11 @@ class url(object): self.host, self.port = self.host.rsplit(':', 1) if not self.host: self.host = None + + if (self.host and self.scheme == 'file' and + self.host not in ('localhost', '127.0.0.1', '[::1]')): + raise util.Abort(_('file:// URLs can only refer to localhost')) + self.path = path for a in ('user', 'passwd', 'host', 'port', diff --git a/tests/test-pull.t b/tests/test-pull.t --- a/tests/test-pull.t +++ b/tests/test-pull.t @@ -78,4 +78,8 @@ regular shell commands. $ URL=`python -c "import os; print 'file://foobar' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"` $ hg pull -q "$URL" + abort: file:// URLs can only refer to localhost + [255] + $ URL=`python -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"` + $ hg pull -q "$URL" diff --git a/tests/test-url.py b/tests/test-url.py --- a/tests/test-url.py +++ b/tests/test-url.py @@ -158,6 +158,13 @@ def test_url(): >>> url('/x///z/y/') + Non-localhost file URL: + + >>> u = url('file://mercurial.selenic.com/foo') + Traceback (most recent call last): + File "", line 1, in ? + Abort: file:// URLs can only refer to localhost + Empty URL: >>> u = url('')