upstream/mercurial-mirror Files · mercurial/hgweb/protocol.py

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)...

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.

Augie Fackler - - Load All Authors

File last commit:

r28530:fd2acc50 default


                r28658:34d43cb8

stable

Download file

             protocol.py
        
                    110 lines
            
             | 3.2 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / mercurial / hgweb / protocol.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #

      # Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>

      # Copyright 2005-2007 Matt Mackall <mpm@selenic.com>

      #

      # This software may be used and distributed according to the terms of the

      # GNU General Public License version 2 or any later version.

      from __future__ import absolute_import

      import cStringIO

      import cgi

      import urllib

      import zlib

      from .common import (

          HTTP_OK,

      )

      from .. import (

          util,

          wireproto,

      )

      HGTYPE = 'application/mercurial-0.1'

      HGERRTYPE = 'application/hg-error'

      class webproto(wireproto.abstractserverproto):

          def __init__(self, req, ui):

              self.req = req

              self.response = ''

              self.ui = ui

          def getargs(self, args):

              knownargs = self._args()

              data = {}

              keys = args.split()

              for k in keys:

                  if k == '*':

                      star = {}

                      for key in knownargs.keys():

                          if key != 'cmd' and key not in keys:

                              star[key] = knownargs[key][0]

                      data['*'] = star

                  else:

                      data[k] = knownargs[k][0]

              return [data[k] for k in keys]

          def _args(self):

              args = self.req.form.copy()

              chunks = []

              i = 1

              while True:

                  h = self.req.env.get('HTTP_X_HGARG_' + str(i))

                  if h is None:

                      break

                  chunks += [h]

                  i += 1

              args.update(cgi.parse_qs(''.join(chunks), keep_blank_values=True))

              return args

          def getfile(self, fp):

              length = int(self.req.env['CONTENT_LENGTH'])

              for s in util.filechunkiter(self.req, limit=length):

                  fp.write(s)

          def redirect(self):

              self.oldio = self.ui.fout, self.ui.ferr

              self.ui.ferr = self.ui.fout = cStringIO.StringIO()

          def restore(self):

              val = self.ui.fout.getvalue()

              self.ui.ferr, self.ui.fout = self.oldio

              return val

          def groupchunks(self, cg):

              z = zlib.compressobj()

              while True:

                  chunk = cg.read(4096)

                  if not chunk:

                      break

                  yield z.compress(chunk)

              yield z.flush()

          def _client(self):

              return 'remote:%s:%s:%s' % (

                  self.req.env.get('wsgi.url_scheme') or 'http',

                  urllib.quote(self.req.env.get('REMOTE_HOST', '')),

                  urllib.quote(self.req.env.get('REMOTE_USER', '')))

      def iscmd(cmd):

          return cmd in wireproto.commands

      def call(repo, req, cmd):

          p = webproto(req, repo.ui)

          rsp = wireproto.dispatch(repo, p, cmd)

          if isinstance(rsp, str):

              req.respond(HTTP_OK, HGTYPE, body=rsp)

              return []

          elif isinstance(rsp, wireproto.streamres):

              req.respond(HTTP_OK, HGTYPE)

              return rsp.gen

          elif isinstance(rsp, wireproto.pushres):

              val = p.restore()

              rsp = '%d\n%s' % (rsp.res, val)

              req.respond(HTTP_OK, HGTYPE, body=rsp)

              return []

          elif isinstance(rsp, wireproto.pusherr):

              # drain the incoming bundle

              req.drain()

              p.restore()

              rsp = '0\n%s\n' % rsp.res

              req.respond(HTTP_OK, HGTYPE, body=rsp)

              return []

          elif isinstance(rsp, wireproto.ooberror):

              rsp = rsp.message

              req.respond(HTTP_OK, HGERRTYPE, body=rsp)

              return []

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#
				# Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>
				# Copyright 2005-2007 Matt Mackall <mpm@selenic.com>
				#
				# This software may be used and distributed according to the terms of the
				# GNU General Public License version 2 or any later version.

				from __future__ import absolute_import

				import cStringIO
				import cgi
				import urllib
				import zlib

				from .common import (
				HTTP_OK,
				)

				from .. import (
				util,
				wireproto,
				)

				HGTYPE = 'application/mercurial-0.1'
				HGERRTYPE = 'application/hg-error'

				class webproto(wireproto.abstractserverproto):
				def __init__(self, req, ui):
				self.req = req
				self.response = ''
				self.ui = ui
				def getargs(self, args):
				knownargs = self._args()
				data = {}
				keys = args.split()
				for k in keys:
				if k == '*':
				star = {}
				for key in knownargs.keys():
				if key != 'cmd' and key not in keys:
				star[key] = knownargs[key][0]
				data['*'] = star
				else:
				data[k] = knownargs[k][0]
				return [data[k] for k in keys]
				def _args(self):
				args = self.req.form.copy()
				chunks = []
				i = 1
				while True:
				h = self.req.env.get('HTTP_X_HGARG_' + str(i))
				if h is None:
				break
				chunks += [h]
				i += 1
				args.update(cgi.parse_qs(''.join(chunks), keep_blank_values=True))
				return args
				def getfile(self, fp):
				length = int(self.req.env['CONTENT_LENGTH'])
				for s in util.filechunkiter(self.req, limit=length):
				fp.write(s)
				def redirect(self):
				self.oldio = self.ui.fout, self.ui.ferr
				self.ui.ferr = self.ui.fout = cStringIO.StringIO()
				def restore(self):
				val = self.ui.fout.getvalue()
				self.ui.ferr, self.ui.fout = self.oldio
				return val
				def groupchunks(self, cg):
				z = zlib.compressobj()
				while True:
				chunk = cg.read(4096)
				if not chunk:
				break
				yield z.compress(chunk)
				yield z.flush()
				def _client(self):
				return 'remote:%s:%s:%s' % (
				self.req.env.get('wsgi.url_scheme') or 'http',
				urllib.quote(self.req.env.get('REMOTE_HOST', '')),
				urllib.quote(self.req.env.get('REMOTE_USER', '')))

				def iscmd(cmd):
				return cmd in wireproto.commands

				def call(repo, req, cmd):
				p = webproto(req, repo.ui)
				rsp = wireproto.dispatch(repo, p, cmd)
				if isinstance(rsp, str):
				req.respond(HTTP_OK, HGTYPE, body=rsp)
				return []
				elif isinstance(rsp, wireproto.streamres):
				req.respond(HTTP_OK, HGTYPE)
				return rsp.gen
				elif isinstance(rsp, wireproto.pushres):
				val = p.restore()
				rsp = '%d\n%s' % (rsp.res, val)
				req.respond(HTTP_OK, HGTYPE, body=rsp)
				return []
				elif isinstance(rsp, wireproto.pusherr):
				# drain the incoming bundle
				req.drain()
				p.restore()
				rsp = '0\n%s\n' % rsp.res
				req.respond(HTTP_OK, HGTYPE, body=rsp)
				return []
				elif isinstance(rsp, wireproto.ooberror):
				rsp = rsp.message
				req.respond(HTTP_OK, HGERRTYPE, body=rsp)
				return []