upstream/mercurial-mirror Commit - r33733:3fee7f7d

ssh: unban the use of pipe character in user@host:port string...

Yuya Nishihara -

r33733:3fee7f7d 4.3.1 stable

parent child

mercurial/util.py

0 +1 -2

                  Raises an error.Abort when the url is unsafe.
                  """
                  path = urlreq.unquote(path)
-                 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
-                     or '|' in path):
+                 if path.startswith('ssh://-') or path.startswith('svn+ssh://-'):
                      raise error.Abort(_('potentially unsafe url: %r') %
                                        (path,))

tests/test-clone.t

0 +4 -4

                $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
                abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
                [255]
-               $ hg clone 'ssh://fakehost|shellcommand/path'
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg clone 'ssh://fakehost|touch%20owned/path'
+               abort: no suitable response from remote hg!
                [255]
-               $ hg clone 'ssh://fakehost%7Cshellcommand/path'
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg clone 'ssh://fakehost%7Ctouch%20owned/path'
+               abort: no suitable response from remote hg!
                [255]
                $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'

tests/test-pull.t

0 +13 -6

              SEC: check for unsafe ssh url
+               $ cat >> $HGRCPATH << EOF
+               > [ui]
+               > ssh = sh -c "read l; read l; read l"
+               > EOF
                $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
                pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
                abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
                pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
                abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
                [255]
-               $ hg pull 'ssh://fakehost|shellcommand/path'
-               pulling from ssh://fakehost%7Cshellcommand/path
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg pull 'ssh://fakehost|touch${IFS}owned/path'
+               pulling from ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
+               abort: no suitable response from remote hg!
                [255]
-               $ hg pull 'ssh://fakehost%7Cshellcommand/path'
-               pulling from ssh://fakehost%7Cshellcommand/path
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg pull 'ssh://fakehost%7Ctouch%20owned/path'
+               pulling from ssh://fakehost%7Ctouch%20owned/path
+               abort: no suitable response from remote hg!
                [255]
+               $ [ ! -f owned ] || echo 'you got owned'
                $ cd ..

tests/test-push.t

0 +13 -6

              SEC: check for unsafe ssh url
+               $ cat >> $HGRCPATH << EOF
+               > [ui]
+               > ssh = sh -c "read l; read l; read l"
+               > EOF
                $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
                pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
                abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
                pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
                abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
                [255]
-               $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path'
-               pushing to ssh://fakehost%7Cshellcommand/path
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg -R test-revflag push 'ssh://fakehost|touch${IFS}owned/path'
+               pushing to ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
+               abort: no suitable response from remote hg!
                [255]
-               $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path'
-               pushing to ssh://fakehost%7Cshellcommand/path
-               abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+               $ hg -R test-revflag push 'ssh://fakehost%7Ctouch%20owned/path'
+               pushing to ssh://fakehost%7Ctouch%20owned/path
+               abort: no suitable response from remote hg!
                [255]
+               $ [ ! -f owned ] || echo 'you got owned'

tests/test-subrepo-git.t

0 0 -24

		@@ -1213,27 +1213,3 b" also check that a percent encoded '-' (%"
1213	1213	updating to branch default
1214	1214	abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s")
1215	1215	[255]
1216
1217		also check for a pipe
1218
1219		$ cd malicious-proxycommand
1220		$ echo 's = [git]ssh://fakehost\|shell/path' > .hgsub
1221		$ hg ci -m 'change url to pipe'
1222		$ cd ..
1223		$ rm -r malicious-proxycommand-clone
1224		$ hg clone malicious-proxycommand malicious-proxycommand-clone
1225		updating to branch default
1226		abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepository "s")
1227		[255]
1228
1229		also check that a percent encoded '\|' (%7C) doesn't work
1230
1231		$ cd malicious-proxycommand
1232		$ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub
1233		$ hg ci -m 'change url to percent encoded'
1234		$ cd ..
1235		$ rm -r malicious-proxycommand-clone
1236		$ hg clone malicious-proxycommand malicious-proxycommand-clone
1237		updating to branch default
1238		abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepository "s")
1239		[255]

tests/test-subrepo-svn.t

0 0 -24

		@@ -668,30 +668,6 b" also check that a percent encoded '-' (%"
668	668	abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepository "s")
669	669	[255]
670	670
671		also check for a pipe
672
673		$ cd ssh-vuln
674		$ echo "s = [svn]svn+ssh://fakehost\|sh%20nested" > .hgsub
675		$ hg ci -m3
676		$ cd ..
677		$ rm -r ssh-vuln-clone
678		$ hg clone ssh-vuln ssh-vuln-clone
679		updating to branch default
680		abort: potentially unsafe url: 'svn+ssh://fakehost\|sh nested' (in subrepository "s")
681		[255]
682
683		also check that a percent encoded '\|' (%7C) doesn't work
684
685		$ cd ssh-vuln
686		$ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687		$ hg ci -m3
688		$ cd ..
689		$ rm -r ssh-vuln-clone
690		$ hg clone ssh-vuln ssh-vuln-clone
691		updating to branch default
692		abort: potentially unsafe url: 'svn+ssh://fakehost\|sh nested' (in subrepository "s")
693		[255]
694
695	671	also check that hiding the attack in the username doesn't work:
696	672
697	673	$ cd ssh-vuln

tests/test-subrepo.t

0 +11 -4

              test for ssh exploit 2017-07-25
+               $ cat >> $HGRCPATH << EOF
+               > [ui]
+               > ssh = sh -c "read l; read l; read l"
+               > EOF
                $ hg init malicious-proxycommand
                $ cd malicious-proxycommand
-               $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
              also check for a pipe
                $ cd malicious-proxycommand
-               $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
+               $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub
                $ hg ci -m 'change url to pipe'
                $ cd ..
                $ rm -r malicious-proxycommand-clone
                $ hg clone malicious-proxycommand malicious-proxycommand-clone
                updating to branch default
-               abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
+               abort: no suitable response from remote hg!
                [255]
+               $ [ ! -f owned ] || echo 'you got owned'
              also check that a percent encoded '|' (%7C) doesn't work
                $ cd malicious-proxycommand
-               $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
+               $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub
                $ hg ci -m 'change url to percent encoded pipe'
                $ cd ..
                $ rm -r malicious-proxycommand-clone
                $ hg clone malicious-proxycommand malicious-proxycommand-clone
                updating to branch default
-               abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
+               abort: no suitable response from remote hg!
                [255]
+               $ [ ! -f owned ] || echo 'you got owned'
              and bad usernames:
                $ cd malicious-proxycommand

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages