Show More
@@ -1274,6 +1274,10 b' class svnsubrepo(abstractsubrepo):' | |||
|
1274 | 1274 | # The revision must be specified at the end of the URL to properly |
|
1275 | 1275 | # update to a directory which has since been deleted and recreated. |
|
1276 | 1276 | args.append('%s@%s' % (state[0], state[1])) |
|
1277 | ||
|
1278 | # SEC: check that the ssh url is safe | |
|
1279 | util.checksafessh(state[0]) | |
|
1280 | ||
|
1277 | 1281 | status, err = self._svncommand(args, failok=True) |
|
1278 | 1282 | _sanitize(self.ui, self.wvfs, '.svn') |
|
1279 | 1283 | if not re.search('Checked out revision [0-9]+.', status): |
@@ -2890,7 +2890,8 b' def checksafessh(path):' | |||
|
2890 | 2890 | Raises an error.Abort when the url is unsafe. |
|
2891 | 2891 | """ |
|
2892 | 2892 | path = urlreq.unquote(path) |
|
2893 |
if path.startswith('ssh://-') or ' |
|
|
2893 | if (path.startswith('ssh://-') or path.startswith('svn+ssh://-') | |
|
2894 | or '|' in path): | |
|
2894 | 2895 | raise error.Abort(_('potentially unsafe url: %r') % |
|
2895 | 2896 | (path,)) |
|
2896 | 2897 |
@@ -639,3 +639,67 b' Test that sanitizing is omitted in meta ' | |||
|
639 | 639 | $ hg update -q -C '.^1' |
|
640 | 640 | |
|
641 | 641 | $ cd ../.. |
|
642 | ||
|
643 | SEC: test for ssh exploit | |
|
644 | ||
|
645 | $ hg init ssh-vuln | |
|
646 | $ cd ssh-vuln | |
|
647 | $ echo "s = [svn]$SVNREPOURL/src" >> .hgsub | |
|
648 | $ svn co --quiet "$SVNREPOURL"/src s | |
|
649 | $ hg add .hgsub | |
|
650 | $ hg ci -m1 | |
|
651 | $ echo "s = [svn]svn+ssh://-oProxyCommand=touch%20owned%20nested" > .hgsub | |
|
652 | $ hg ci -m2 | |
|
653 | $ cd .. | |
|
654 | $ hg clone ssh-vuln ssh-vuln-clone | |
|
655 | updating to branch default | |
|
656 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) | |
|
657 | [255] | |
|
658 | ||
|
659 | also check that a percent encoded '-' (%2D) doesn't work | |
|
660 | ||
|
661 | $ cd ssh-vuln | |
|
662 | $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20nested" > .hgsub | |
|
663 | $ hg ci -m3 | |
|
664 | $ cd .. | |
|
665 | $ rm -r ssh-vuln-clone | |
|
666 | $ hg clone ssh-vuln ssh-vuln-clone | |
|
667 | updating to branch default | |
|
668 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) | |
|
669 | [255] | |
|
670 | ||
|
671 | also check for a pipe | |
|
672 | ||
|
673 | $ cd ssh-vuln | |
|
674 | $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub | |
|
675 | $ hg ci -m3 | |
|
676 | $ cd .. | |
|
677 | $ rm -r ssh-vuln-clone | |
|
678 | $ hg clone ssh-vuln ssh-vuln-clone | |
|
679 | updating to branch default | |
|
680 | abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) | |
|
681 | [255] | |
|
682 | ||
|
683 | also check that a percent encoded '|' (%7C) doesn't work | |
|
684 | ||
|
685 | $ cd ssh-vuln | |
|
686 | $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub | |
|
687 | $ hg ci -m3 | |
|
688 | $ cd .. | |
|
689 | $ rm -r ssh-vuln-clone | |
|
690 | $ hg clone ssh-vuln ssh-vuln-clone | |
|
691 | updating to branch default | |
|
692 | abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) | |
|
693 | [255] | |
|
694 | ||
|
695 | also check that hiding the attack in the username doesn't work: | |
|
696 | ||
|
697 | $ cd ssh-vuln | |
|
698 | $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20foo@example.com/nested" > .hgsub | |
|
699 | $ hg ci -m3 | |
|
700 | $ cd .. | |
|
701 | $ rm -r ssh-vuln-clone | |
|
702 | $ hg clone ssh-vuln ssh-vuln-clone | |
|
703 | updating to branch default | |
|
704 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned foo@example.com/nested' (in subrepo s) | |
|
705 | [255] |
General Comments 0
You need to be logged in to leave comments.
Login now