upstream/mercurial-mirror Files · tests/test-hgweb-bundle.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Matt Mackall - - Load All Authors

File last commit:

r25472:4d2b9b30 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-hgweb-bundle.t
        
                    37 lines
            
             | 780 B
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-hgweb-bundle.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #require serve

        $ hg init server

        $ cd server

        $ cat >> .hg/hgrc << EOF

        > [extensions]

        > strip=

        > EOF

        $ echo 1 > foo

        $ hg commit -A -m 'first'

        adding foo

        $ echo 2 > bar

        $ hg commit -A -m 'second'

        adding bar

      Produce a bundle to use

        $ hg strip -r 1

        0 files updated, 0 files merged, 1 files removed, 0 files unresolved

        saved backup bundle to $TESTTMP/server/.hg/strip-backup/ed602e697e0f-cc9fff6a-backup.hg (glob)

      Serve from a bundle file

        $ hg serve -R .hg/strip-backup/ed602e697e0f-cc9fff6a-backup.hg -d -p $HGPORT --pid-file=hg.pid

        $ cat hg.pid >> $DAEMON_PIDS

      Ensure we're serving from the bundle

        $ (get-with-headers.py localhost:$HGPORT 'file/tip/?style=raw')

        200 Script output follows

        -rw-r--r-- 2 bar

        -rw-r--r-- 2 foo

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#require serve

				$ hg init server
				$ cd server
				$ cat >> .hg/hgrc << EOF
				> [extensions]
				> strip=
				> EOF

				$ echo 1 > foo
				$ hg commit -A -m 'first'
				adding foo
				$ echo 2 > bar
				$ hg commit -A -m 'second'
				adding bar

				Produce a bundle to use

				$ hg strip -r 1
				0 files updated, 0 files merged, 1 files removed, 0 files unresolved
				saved backup bundle to $TESTTMP/server/.hg/strip-backup/ed602e697e0f-cc9fff6a-backup.hg (glob)

				Serve from a bundle file

				$ hg serve -R .hg/strip-backup/ed602e697e0f-cc9fff6a-backup.hg -d -p $HGPORT --pid-file=hg.pid
				$ cat hg.pid >> $DAEMON_PIDS

				Ensure we're serving from the bundle

				$ (get-with-headers.py localhost:$HGPORT 'file/tip/?style=raw')
				200 Script output follows


				-rw-r--r-- 2 bar
				-rw-r--r-- 2 foo