##// END OF EJS Templates
ssh: unban the use of pipe character in user@host:port string...
Yuya Nishihara -
r33716:943c9132 4.2.3 stable
parent child Browse files
Show More
@@ -2890,8 +2890,7 b' def checksafessh(path):'
2890 Raises an error.Abort when the url is unsafe.
2890 Raises an error.Abort when the url is unsafe.
2891 """
2891 """
2892 path = urlreq.unquote(path)
2892 path = urlreq.unquote(path)
2893 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
2893 if path.startswith('ssh://-') or path.startswith('svn+ssh://-'):
2894 or '|' in path):
2895 raise error.Abort(_('potentially unsafe url: %r') %
2894 raise error.Abort(_('potentially unsafe url: %r') %
2896 (path,))
2895 (path,))
2897
2896
@@ -1106,11 +1106,11 b' SEC: check for unsafe ssh url'
1106 $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
1106 $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
1107 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1107 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1108 [255]
1108 [255]
1109 $ hg clone 'ssh://fakehost|shellcommand/path'
1109 $ hg clone 'ssh://fakehost|touch%20owned/path'
1110 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1110 abort: no suitable response from remote hg!
1111 [255]
1111 [255]
1112 $ hg clone 'ssh://fakehost%7Cshellcommand/path'
1112 $ hg clone 'ssh://fakehost%7Ctouch%20owned/path'
1113 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1113 abort: no suitable response from remote hg!
1114 [255]
1114 [255]
1115
1115
1116 $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
1116 $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
@@ -107,6 +107,11 b' regular shell commands.'
107
107
108 SEC: check for unsafe ssh url
108 SEC: check for unsafe ssh url
109
109
110 $ cat >> $HGRCPATH << EOF
111 > [ui]
112 > ssh = sh -c "read l; read l; read l"
113 > EOF
114
110 $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
115 $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
111 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
116 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
112 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
117 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
@@ -115,13 +120,15 b' SEC: check for unsafe ssh url'
115 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
120 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
116 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
121 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
117 [255]
122 [255]
118 $ hg pull 'ssh://fakehost|shellcommand/path'
123 $ hg pull 'ssh://fakehost|touch${IFS}owned/path'
119 pulling from ssh://fakehost%7Cshellcommand/path
124 pulling from ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
120 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
125 abort: no suitable response from remote hg!
121 [255]
126 [255]
122 $ hg pull 'ssh://fakehost%7Cshellcommand/path'
127 $ hg pull 'ssh://fakehost%7Ctouch%20owned/path'
123 pulling from ssh://fakehost%7Cshellcommand/path
128 pulling from ssh://fakehost%7Ctouch%20owned/path
124 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
129 abort: no suitable response from remote hg!
125 [255]
130 [255]
126
131
132 $ [ ! -f owned ] || echo 'you got owned'
133
127 $ cd ..
134 $ cd ..
@@ -299,6 +299,11 b' Test push hook locking'
299
299
300 SEC: check for unsafe ssh url
300 SEC: check for unsafe ssh url
301
301
302 $ cat >> $HGRCPATH << EOF
303 > [ui]
304 > ssh = sh -c "read l; read l; read l"
305 > EOF
306
302 $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
307 $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
303 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
308 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
304 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
309 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
@@ -307,11 +312,13 b' SEC: check for unsafe ssh url'
307 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
312 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
308 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
313 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
309 [255]
314 [255]
310 $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path'
315 $ hg -R test-revflag push 'ssh://fakehost|touch${IFS}owned/path'
311 pushing to ssh://fakehost%7Cshellcommand/path
316 pushing to ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
312 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
317 abort: no suitable response from remote hg!
313 [255]
318 [255]
314 $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path'
319 $ hg -R test-revflag push 'ssh://fakehost%7Ctouch%20owned/path'
315 pushing to ssh://fakehost%7Cshellcommand/path
320 pushing to ssh://fakehost%7Ctouch%20owned/path
316 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
321 abort: no suitable response from remote hg!
317 [255]
322 [255]
323
324 $ [ ! -f owned ] || echo 'you got owned'
@@ -1205,26 +1205,3 b" also check that a percent encoded '-' (%"
1205 abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s)
1205 abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s)
1206 [255]
1206 [255]
1207
1207
1208 also check for a pipe
1209
1210 $ cd malicious-proxycommand
1211 $ echo 's = [git]ssh://fakehost|shell/path' > .hgsub
1212 $ hg ci -m 'change url to pipe'
1213 $ cd ..
1214 $ rm -r malicious-proxycommand-clone
1215 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1216 updating to branch default
1217 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
1218 [255]
1219
1220 also check that a percent encoded '|' (%7C) doesn't work
1221
1222 $ cd malicious-proxycommand
1223 $ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub
1224 $ hg ci -m 'change url to percent encoded'
1225 $ cd ..
1226 $ rm -r malicious-proxycommand-clone
1227 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1228 updating to branch default
1229 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
1230 [255]
@@ -668,30 +668,6 b" also check that a percent encoded '-' (%"
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)
669 [255]
669 [255]
670
670
671 also check for a pipe
672
673 $ cd ssh-vuln
674 $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub
675 $ hg ci -m3
676 $ cd ..
677 $ rm -r ssh-vuln-clone
678 $ hg clone ssh-vuln ssh-vuln-clone
679 updating to branch default
680 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s)
681 [255]
682
683 also check that a percent encoded '|' (%7C) doesn't work
684
685 $ cd ssh-vuln
686 $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687 $ hg ci -m3
688 $ cd ..
689 $ rm -r ssh-vuln-clone
690 $ hg clone ssh-vuln ssh-vuln-clone
691 updating to branch default
692 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s)
693 [255]
694
695 also check that hiding the attack in the username doesn't work:
671 also check that hiding the attack in the username doesn't work:
696
672
697 $ cd ssh-vuln
673 $ cd ssh-vuln
@@ -1780,6 +1780,11 b" Test that '[paths]' is configured correc"
1780
1780
1781 test for ssh exploit 2017-07-25
1781 test for ssh exploit 2017-07-25
1782
1782
1783 $ cat >> $HGRCPATH << EOF
1784 > [ui]
1785 > ssh = sh -c "read l; read l; read l"
1786 > EOF
1787
1783 $ hg init malicious-proxycommand
1788 $ hg init malicious-proxycommand
1784 $ cd malicious-proxycommand
1789 $ cd malicious-proxycommand
1785 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
1790 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
@@ -1813,26 +1818,28 b" also check that a percent encoded '-' (%"
1813 also check for a pipe
1818 also check for a pipe
1814
1819
1815 $ cd malicious-proxycommand
1820 $ cd malicious-proxycommand
1816 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
1821 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub
1817 $ hg ci -m 'change url to pipe'
1822 $ hg ci -m 'change url to pipe'
1818 $ cd ..
1823 $ cd ..
1819 $ rm -r malicious-proxycommand-clone
1824 $ rm -r malicious-proxycommand-clone
1820 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1825 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1821 updating to branch default
1826 updating to branch default
1822 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
1827 abort: no suitable response from remote hg!
1823 [255]
1828 [255]
1829 $ [ ! -f owned ] || echo 'you got owned'
1824
1830
1825 also check that a percent encoded '|' (%7C) doesn't work
1831 also check that a percent encoded '|' (%7C) doesn't work
1826
1832
1827 $ cd malicious-proxycommand
1833 $ cd malicious-proxycommand
1828 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
1834 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub
1829 $ hg ci -m 'change url to percent encoded pipe'
1835 $ hg ci -m 'change url to percent encoded pipe'
1830 $ cd ..
1836 $ cd ..
1831 $ rm -r malicious-proxycommand-clone
1837 $ rm -r malicious-proxycommand-clone
1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1838 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1833 updating to branch default
1839 updating to branch default
1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
1840 abort: no suitable response from remote hg!
1835 [255]
1841 [255]
1842 $ [ ! -f owned ] || echo 'you got owned'
1836
1843
1837 and bad usernames:
1844 and bad usernames:
1838 $ cd malicious-proxycommand
1845 $ cd malicious-proxycommand
General Comments 0
You need to be logged in to leave comments. Login now