upstream/mercurial-mirror Commit - r34985:071cbeba

subrepo: disallow symlink traversal across subrepo mount point (SEC)...

Yuya Nishihara -

r34985:071cbeba stable

parent child

mercurial/subrepo.py

0 +8 -2

                                       "in '%s'\n") % vfs.join(dirname))
                             vfs.unlink(vfs.reljoin(dirname, f))
+            def _auditsubrepopath(repo, path):
+                # auditor doesn't check if the path itself is a symlink
+                pathutil.pathauditor(repo.root)(path)
+                if repo.wvfs.islink(path):
+                    raise error.Abort(_("subrepo '%s' traverses symbolic link") % path)
             def subrepo(ctx, path, allowwdir=False, allowcreate=True):
                 """return instance of the right subrepo class for subrepo in path"""
                 # subrepo inherently violates our import layering rules
                 from . import hg as h
                 hg = h
-                pathutil.pathauditor(ctx.repo().root)(path)
+                _auditsubrepopath(ctx.repo(), path)
                 state = ctx.substate[path]
                 if state[2] not in types:
                     raise error.Abort(_('unknown subrepo type %s') % state[2])
                 from . import hg as h
                 hg = h
-                pathutil.pathauditor(ctx.repo().root)(path)
+                _auditsubrepopath(ctx.repo(), path)
                 state = ctx.substate[path]
                 if state[2] not in types:
                     raise error.Abort(_('unknown subrepo type %s') % state[2])

tests/test-audit-subrepo.t

0 +21 -3

@@ -50,17 +50,35 b' on commit:'
50	$ hg ci -qAm 'add symlink "out"'	50	$ hg ci -qAm 'add symlink "out"'
51	$ hg init ../out	51	$ hg init ../out
52	$ echo 'out = out' >> .hgsub	52	$ echo 'out = out' >> .hgsub
53	BROKEN: should fail
54	$ hg ci -qAm 'add subrepo "out"'	53	$ hg ci -qAm 'add subrepo "out"'
		54	abort: subrepo 'out' traverses symbolic link
		55	[255]
		56
		57	prepare tampered repo (including the commit above):
		58
		59	$ hg import --bypass -qm 'add subrepo "out"' - <<'EOF'
		60	> diff --git a/.hgsub b/.hgsub
		61	> new file mode 100644
		62	> --- /dev/null
		63	> +++ b/.hgsub
		64	> @@ -0,0 +1,1 @@
		65	> +out = out
		66	> diff --git a/.hgsubstate b/.hgsubstate
		67	> new file mode 100644
		68	> --- /dev/null
		69	> +++ b/.hgsubstate
		70	> @@ -0,0 +1,1 @@
		71	> +0000000000000000000000000000000000000000 out
		72	> EOF
55	$ cd ../..	73	$ cd ../..
56		74
57	on clone (and update):	75	on clone (and update):
58		76
59	$ mkdir hgsymdir2	77	$ mkdir hgsymdir2
60	BROKEN: should fail to update
61	$ hg clone -q hgsymdir/root hgsymdir2/root	78	$ hg clone -q hgsymdir/root hgsymdir2/root
		79	abort: subrepo 'out' traverses symbolic link
		80	[255]
62	$ ls hgsymdir2	81	$ ls hgsymdir2
63	out
64	root	82	root
65		83
66	#endif	84	#endif

tests/test-subrepo-git.t

0 +4 -2

             Don't crash if subrepo is a broken symlink
               $ ln -s broken s
               $ hg status -S
+              abort: subrepo 's' traverses symbolic link
+              [255]
               $ hg push -q
-              abort: subrepo s is missing (in subrepository "s")
+              abort: subrepo 's' traverses symbolic link
               [255]
               $ hg commit --subrepos -qm missing
-              abort: subrepo s is missing (in subrepository "s")
+              abort: subrepo 's' traverses symbolic link
               [255]
               $ rm s
             #endif

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages