upstream/mercurial-mirror Commit - r33709:f9134e96

clone: add tests for unsafe ssh url (SEC)

Sean Farley -

r33709:f9134e96 stable

parent child

tests/test-clone.t

0 +22 0

@@ -1092,3 +1092,25 b' pooled".'
1092	adding remote bookmark bookA	1092	adding remote bookmark bookA
1093	updating working directory	1093	updating working directory
1094	1 files updated, 0 files merged, 0 files removed, 0 files unresolved	1094	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
		1095
		1096	SEC: check for unsafe ssh url
		1097
		1098	$ hg clone 'ssh://-oProxyCommand=touch${IFS}owned/path'
		1099	abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
		1100	[255]
		1101	$ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
		1102	abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
		1103	[255]
		1104	$ hg clone 'ssh://fakehost\|shellcommand/path'
		1105	abort: potentially unsafe url: 'ssh://fakehost\|shellcommand/path'
		1106	[255]
		1107	$ hg clone 'ssh://fakehost%7Cshellcommand/path'
		1108	abort: potentially unsafe url: 'ssh://fakehost\|shellcommand/path'
		1109	[255]
		1110
		1111	$ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
		1112	abort: potentially unsafe url: 'ssh://-oProxyCommand=touch owned foo@example.com/nonexistent/path'
		1113	[255]
		1114	We should not have created a file named owned - if it exists, the
		1115	attack succeeded.
		1116	$ if test -f owned; then echo 'you got owned'; fi

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages