Show More
@@ -1274,6 +1274,10 b' class svnsubrepo(abstractsubrepo):' | |||||
1274 | # The revision must be specified at the end of the URL to properly |
|
1274 | # The revision must be specified at the end of the URL to properly | |
1275 | # update to a directory which has since been deleted and recreated. |
|
1275 | # update to a directory which has since been deleted and recreated. | |
1276 | args.append('%s@%s' % (state[0], state[1])) |
|
1276 | args.append('%s@%s' % (state[0], state[1])) | |
|
1277 | ||||
|
1278 | # SEC: check that the ssh url is safe | |||
|
1279 | util.checksafessh(state[0]) | |||
|
1280 | ||||
1277 | status, err = self._svncommand(args, failok=True) |
|
1281 | status, err = self._svncommand(args, failok=True) | |
1278 | _sanitize(self.ui, self.wvfs, '.svn') |
|
1282 | _sanitize(self.ui, self.wvfs, '.svn') | |
1279 | if not re.search('Checked out revision [0-9]+.', status): |
|
1283 | if not re.search('Checked out revision [0-9]+.', status): |
@@ -2890,7 +2890,8 b' def checksafessh(path):' | |||||
2890 | Raises an error.Abort when the url is unsafe. |
|
2890 | Raises an error.Abort when the url is unsafe. | |
2891 | """ |
|
2891 | """ | |
2892 | path = urlreq.unquote(path) |
|
2892 | path = urlreq.unquote(path) | |
2893 |
if path.startswith('ssh://-') or ' |
|
2893 | if (path.startswith('ssh://-') or path.startswith('svn+ssh://-') | |
|
2894 | or '|' in path): | |||
2894 | raise error.Abort(_('potentially unsafe url: %r') % |
|
2895 | raise error.Abort(_('potentially unsafe url: %r') % | |
2895 | (path,)) |
|
2896 | (path,)) | |
2896 |
|
2897 |
@@ -639,3 +639,67 b' Test that sanitizing is omitted in meta ' | |||||
639 | $ hg update -q -C '.^1' |
|
639 | $ hg update -q -C '.^1' | |
640 |
|
640 | |||
641 | $ cd ../.. |
|
641 | $ cd ../.. | |
|
642 | ||||
|
643 | SEC: test for ssh exploit | |||
|
644 | ||||
|
645 | $ hg init ssh-vuln | |||
|
646 | $ cd ssh-vuln | |||
|
647 | $ echo "s = [svn]$SVNREPOURL/src" >> .hgsub | |||
|
648 | $ svn co --quiet "$SVNREPOURL"/src s | |||
|
649 | $ hg add .hgsub | |||
|
650 | $ hg ci -m1 | |||
|
651 | $ echo "s = [svn]svn+ssh://-oProxyCommand=touch%20owned%20nested" > .hgsub | |||
|
652 | $ hg ci -m2 | |||
|
653 | $ cd .. | |||
|
654 | $ hg clone ssh-vuln ssh-vuln-clone | |||
|
655 | updating to branch default | |||
|
656 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) | |||
|
657 | [255] | |||
|
658 | ||||
|
659 | also check that a percent encoded '-' (%2D) doesn't work | |||
|
660 | ||||
|
661 | $ cd ssh-vuln | |||
|
662 | $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20nested" > .hgsub | |||
|
663 | $ hg ci -m3 | |||
|
664 | $ cd .. | |||
|
665 | $ rm -r ssh-vuln-clone | |||
|
666 | $ hg clone ssh-vuln ssh-vuln-clone | |||
|
667 | updating to branch default | |||
|
668 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) | |||
|
669 | [255] | |||
|
670 | ||||
|
671 | also check for a pipe | |||
|
672 | ||||
|
673 | $ cd ssh-vuln | |||
|
674 | $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub | |||
|
675 | $ hg ci -m3 | |||
|
676 | $ cd .. | |||
|
677 | $ rm -r ssh-vuln-clone | |||
|
678 | $ hg clone ssh-vuln ssh-vuln-clone | |||
|
679 | updating to branch default | |||
|
680 | abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) | |||
|
681 | [255] | |||
|
682 | ||||
|
683 | also check that a percent encoded '|' (%7C) doesn't work | |||
|
684 | ||||
|
685 | $ cd ssh-vuln | |||
|
686 | $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub | |||
|
687 | $ hg ci -m3 | |||
|
688 | $ cd .. | |||
|
689 | $ rm -r ssh-vuln-clone | |||
|
690 | $ hg clone ssh-vuln ssh-vuln-clone | |||
|
691 | updating to branch default | |||
|
692 | abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) | |||
|
693 | [255] | |||
|
694 | ||||
|
695 | also check that hiding the attack in the username doesn't work: | |||
|
696 | ||||
|
697 | $ cd ssh-vuln | |||
|
698 | $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20foo@example.com/nested" > .hgsub | |||
|
699 | $ hg ci -m3 | |||
|
700 | $ cd .. | |||
|
701 | $ rm -r ssh-vuln-clone | |||
|
702 | $ hg clone ssh-vuln ssh-vuln-clone | |||
|
703 | updating to branch default | |||
|
704 | abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned foo@example.com/nested' (in subrepo s) | |||
|
705 | [255] |
General Comments 0
You need to be logged in to leave comments.
Login now