upstream/mercurial-mirror Files · tests/test-custom-filters.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Pierre-Yves David - - Load All Authors

File last commit:

r26587:56b2bcea default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-custom-filters.t
        
                    66 lines
            
             | 1.5 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-custom-filters.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

        $ hg init

        $ cat > .hg/hgrc <<EOF

        > [extensions]

        > prefixfilter = prefix.py

        > [encode]

        > *.txt = stripprefix: Copyright 2046, The Masters

        > [decode]

        > *.txt = insertprefix: Copyright 2046, The Masters

        > EOF

        $ cat > prefix.py <<EOF

        > from mercurial import error

        > def stripprefix(s, cmd, filename, **kwargs):

        >     header = '%s\n' % cmd

        >     if s[:len(header)] != header:

        >         raise error.Abort('missing header "%s" in %s' % (cmd, filename))

        >     return s[len(header):]

        > def insertprefix(s, cmd):

        >     return '%s\n%s' % (cmd, s)

        > def reposetup(ui, repo):

        >     repo.adddatafilter('stripprefix:', stripprefix)

        >     repo.adddatafilter('insertprefix:', insertprefix)

        > EOF

        $ cat > .hgignore <<EOF

        > .hgignore

        > prefix.py

        > prefix.pyc

        > EOF

        $ cat > stuff.txt <<EOF

        > Copyright 2046, The Masters

        > Some stuff to ponder very carefully.

        > EOF

        $ hg add stuff.txt

        $ hg ci -m stuff

      Repository data:

        $ hg cat stuff.txt

        Some stuff to ponder very carefully.

      Fresh checkout:

        $ rm stuff.txt

        $ hg up -C

        1 files updated, 0 files merged, 0 files removed, 0 files unresolved

        $ cat stuff.txt

        Copyright 2046, The Masters

        Some stuff to ponder very carefully.

        $ echo "Very very carefully." >> stuff.txt

        $ hg stat

        M stuff.txt

        $ echo "Unauthorized material subject to destruction." > morestuff.txt

      Problem encoding:

        $ hg add morestuff.txt

        $ hg ci -m morestuff

        abort: missing header "Copyright 2046, The Masters" in morestuff.txt

        [255]

        $ hg stat

        M stuff.txt

        A morestuff.txt

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				$ hg init

				$ cat > .hg/hgrc <<EOF
				> [extensions]
				> prefixfilter = prefix.py
				> [encode]
				> *.txt = stripprefix: Copyright 2046, The Masters
				> [decode]
				> *.txt = insertprefix: Copyright 2046, The Masters
				> EOF

				$ cat > prefix.py <<EOF
				> from mercurial import error
				> def stripprefix(s, cmd, filename, **kwargs):
				> header = '%s\n' % cmd
				> if s[:len(header)] != header:
				> raise error.Abort('missing header "%s" in %s' % (cmd, filename))
				> return s[len(header):]
				> def insertprefix(s, cmd):
				> return '%s\n%s' % (cmd, s)
				> def reposetup(ui, repo):
				> repo.adddatafilter('stripprefix:', stripprefix)
				> repo.adddatafilter('insertprefix:', insertprefix)
				> EOF

				$ cat > .hgignore <<EOF
				> .hgignore
				> prefix.py
				> prefix.pyc
				> EOF

				$ cat > stuff.txt <<EOF
				> Copyright 2046, The Masters
				> Some stuff to ponder very carefully.
				> EOF
				$ hg add stuff.txt
				$ hg ci -m stuff

				Repository data:

				$ hg cat stuff.txt
				Some stuff to ponder very carefully.

				Fresh checkout:

				$ rm stuff.txt
				$ hg up -C
				1 files updated, 0 files merged, 0 files removed, 0 files unresolved
				$ cat stuff.txt
				Copyright 2046, The Masters
				Some stuff to ponder very carefully.
				$ echo "Very very carefully." >> stuff.txt
				$ hg stat
				M stuff.txt

				$ echo "Unauthorized material subject to destruction." > morestuff.txt

				Problem encoding:

				$ hg add morestuff.txt
				$ hg ci -m morestuff
				abort: missing header "Copyright 2046, The Masters" in morestuff.txt
				[255]
				$ hg stat
				M stuff.txt
				A morestuff.txt