upstream/mercurial-mirror Commit - r33716:943c9132

ssh: unban the use of pipe character in user@host:port string...

Yuya Nishihara -

r33716:943c9132 4.2.3 stable

parent child

mercurial/util.py

0 +1 -2

                 Raises an error.Abort when the url is unsafe.
                 """
                 path = urlreq.unquote(path)
-                if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
+                if path.startswith('ssh://-') or path.startswith('svn+ssh://-'):
-                    or '|' in path):
                     raise error.Abort(_('potentially unsafe url: %r') %
                                       (path,))

tests/test-clone.t

0 +4 -4

               $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
               abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
               [255]
-              $ hg clone 'ssh://fakehost|shellcommand/path'
+              $ hg clone 'ssh://fakehost|touch%20owned/path'
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
-              $ hg clone 'ssh://fakehost%7Cshellcommand/path'
+              $ hg clone 'ssh://fakehost%7Ctouch%20owned/path'
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
               $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'

tests/test-pull.t

0 +13 -6

             SEC: check for unsafe ssh url
+              $ cat >> $HGRCPATH << EOF
+              > [ui]
+              > ssh = sh -c "read l; read l; read l"
+              > EOF
               $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
               pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
               abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
               pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
               abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
               [255]
-              $ hg pull 'ssh://fakehost|shellcommand/path'
+              $ hg pull 'ssh://fakehost|touch${IFS}owned/path'
-              pulling from ssh://fakehost%7Cshellcommand/path
+              pulling from ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
-              $ hg pull 'ssh://fakehost%7Cshellcommand/path'
+              $ hg pull 'ssh://fakehost%7Ctouch%20owned/path'
-              pulling from ssh://fakehost%7Cshellcommand/path
+              pulling from ssh://fakehost%7Ctouch%20owned/path
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
+              $ [ ! -f owned ] || echo 'you got owned'
               $ cd ..

tests/test-push.t

0 +13 -6

             SEC: check for unsafe ssh url
+              $ cat >> $HGRCPATH << EOF
+              > [ui]
+              > ssh = sh -c "read l; read l; read l"
+              > EOF
               $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
               pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
               abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
               pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
               abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
               [255]
-              $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path'
+              $ hg -R test-revflag push 'ssh://fakehost|touch${IFS}owned/path'
-              pushing to ssh://fakehost%7Cshellcommand/path
+              pushing to ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
-              $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path'
+              $ hg -R test-revflag push 'ssh://fakehost%7Ctouch%20owned/path'
-              pushing to ssh://fakehost%7Cshellcommand/path
+              pushing to ssh://fakehost%7Ctouch%20owned/path
-              abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+              abort: no suitable response from remote hg!
               [255]
+              $ [ ! -f owned ] || echo 'you got owned'

tests/test-subrepo-git.t

0 0 -23

@@ -1205,26 +1205,3 b" also check that a percent encoded '-' (%"
1205	abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s)	1205	abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s)
1206	[255]	1206	[255]
1207		1207
1208	also check for a pipe
1209
1210	$ cd malicious-proxycommand
1211	$ echo 's = [git]ssh://fakehost\|shell/path' > .hgsub
1212	$ hg ci -m 'change url to pipe'
1213	$ cd ..
1214	$ rm -r malicious-proxycommand-clone
1215	$ hg clone malicious-proxycommand malicious-proxycommand-clone
1216	updating to branch default
1217	abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepo s)
1218	[255]
1219
1220	also check that a percent encoded '\|' (%7C) doesn't work
1221
1222	$ cd malicious-proxycommand
1223	$ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub
1224	$ hg ci -m 'change url to percent encoded'
1225	$ cd ..
1226	$ rm -r malicious-proxycommand-clone
1227	$ hg clone malicious-proxycommand malicious-proxycommand-clone
1228	updating to branch default
1229	abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepo s)
1230	[255]

tests/test-subrepo-svn.t

0 0 -24

@@ -668,30 +668,6 b" also check that a percent encoded '-' (%"
668	abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)	668	abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)
669	[255]	669	[255]
670		670
671	also check for a pipe
672
673	$ cd ssh-vuln
674	$ echo "s = [svn]svn+ssh://fakehost\|sh%20nested" > .hgsub
675	$ hg ci -m3
676	$ cd ..
677	$ rm -r ssh-vuln-clone
678	$ hg clone ssh-vuln ssh-vuln-clone
679	updating to branch default
680	abort: potentially unsafe url: 'svn+ssh://fakehost\|sh nested' (in subrepo s)
681	[255]
682
683	also check that a percent encoded '\|' (%7C) doesn't work
684
685	$ cd ssh-vuln
686	$ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687	$ hg ci -m3
688	$ cd ..
689	$ rm -r ssh-vuln-clone
690	$ hg clone ssh-vuln ssh-vuln-clone
691	updating to branch default
692	abort: potentially unsafe url: 'svn+ssh://fakehost\|sh nested' (in subrepo s)
693	[255]
694
695	also check that hiding the attack in the username doesn't work:	671	also check that hiding the attack in the username doesn't work:
696		672
697	$ cd ssh-vuln	673	$ cd ssh-vuln

tests/test-subrepo.t

0 +11 -4

             test for ssh exploit 2017-07-25
+              $ cat >> $HGRCPATH << EOF
+              > [ui]
+              > ssh = sh -c "read l; read l; read l"
+              > EOF
               $ hg init malicious-proxycommand
               $ cd malicious-proxycommand
               $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
             also check for a pipe
               $ cd malicious-proxycommand
-              $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
+              $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub
               $ hg ci -m 'change url to pipe'
               $ cd ..
               $ rm -r malicious-proxycommand-clone
               $ hg clone malicious-proxycommand malicious-proxycommand-clone
               updating to branch default
-              abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
+              abort: no suitable response from remote hg!
               [255]
+              $ [ ! -f owned ] || echo 'you got owned'
             also check that a percent encoded '|' (%7C) doesn't work
               $ cd malicious-proxycommand
-              $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
+              $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub
               $ hg ci -m 'change url to percent encoded pipe'
               $ cd ..
               $ rm -r malicious-proxycommand-clone
               $ hg clone malicious-proxycommand malicious-proxycommand-clone
               updating to branch default
-              abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
+              abort: no suitable response from remote hg!
               [255]
+              $ [ ! -f owned ] || echo 'you got owned'
             and bad usernames:
               $ cd malicious-proxycommand

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages