##// END OF EJS Templates
util: add utility method to check for bad ssh urls (SEC)...
util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

File last commit:

r26222:3095b102 default
r33723:0b3fe391 stable
Show More
map-cmdline.xml
20 lines | 1.6 KiB | application/xml | XmlLexer
docheader = '<?xml version="1.0"?>\n<log>\n'
docfooter = '</log>\n'
changeset = '<logentry revision="{rev}" node="{node}">\n{branches}{bookmarks}{tags}{parents}<author email="{author|email|xmlescape}">{author|person|xmlescape}</author>\n<date>{date|rfc3339date}</date>\n<msg xml:space="preserve">{desc|xmlescape}</msg>\n</logentry>\n'
changeset_verbose = '<logentry revision="{rev}" node="{node}">\n{branches}{bookmarks}{tags}{parents}<author email="{author|email|xmlescape}">{author|person|xmlescape}</author>\n<date>{date|rfc3339date}</date>\n<msg xml:space="preserve">{desc|xmlescape}</msg>\n<paths>\n{file_adds}{file_dels}{file_mods}</paths>\n{file_copies}</logentry>\n'
changeset_debug = '<logentry revision="{rev}" node="{node}">\n{branches}{bookmarks}{tags}{parents}<author email="{author|email|xmlescape}">{author|person|xmlescape}</author>\n<date>{date|rfc3339date}</date>\n<msg xml:space="preserve">{desc|xmlescape}</msg>\n<paths>\n{file_adds}{file_dels}{file_mods}</paths>\n{file_copies}{extras}</logentry>\n'
file_add = '<path action="A">{file_add|xmlescape}</path>\n'
file_mod = '<path action="M">{file_mod|xmlescape}</path>\n'
file_del = '<path action="R">{file_del|xmlescape}</path>\n'
start_file_copies = '<copies>\n'
file_copy = '<copy source="{source|xmlescape}">{name|xmlescape}</copy>\n'
end_file_copies = '</copies>\n'
parent = '<parent revision="{rev}" node="{node}" />\n'
branch = '<branch>{branch|xmlescape}</branch>\n'
tag = '<tag>{tag|xmlescape}</tag>\n'
bookmark = '<bookmark>{bookmark|xmlescape}</bookmark>\n'
extra = '<extra key="{key|xmlescape}">{value|xmlescape}</extra>\n'