##// END OF EJS Templates
clone: add tests for unsafe ssh url (SEC)
Sean Farley -
r33726:0bcceb58 stable
parent child Browse files
Show More
@@ -1097,3 +1097,25 b' pooled".'
1097 adding remote bookmark bookA
1097 adding remote bookmark bookA
1098 updating working directory
1098 updating working directory
1099 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
1099 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
1100
1101 SEC: check for unsafe ssh url
1102
1103 $ hg clone 'ssh://-oProxyCommand=touch${IFS}owned/path'
1104 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1105 [255]
1106 $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
1107 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1108 [255]
1109 $ hg clone 'ssh://fakehost|shellcommand/path'
1110 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1111 [255]
1112 $ hg clone 'ssh://fakehost%7Cshellcommand/path'
1113 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1114 [255]
1115
1116 $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
1117 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch owned foo@example.com/nonexistent/path'
1118 [255]
1119 We should not have created a file named owned - if it exists, the
1120 attack succeeded.
1121 $ if test -f owned; then echo 'you got owned'; fi
General Comments 0
You need to be logged in to leave comments. Login now