upstream/mercurial-mirror Files · tests/test-oldcgi.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Matt Mackall - - Load All Authors

File last commit:

r22046:7a9cbb31 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-oldcgi.t
        
                    76 lines
            
             | 2.0 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-oldcgi.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #require no-msys # MSYS will translate web paths as if they were file paths

      This tests if CGI files from before d0db3462d568 still work.

        $ hg init test

        $ cat >hgweb.cgi <<HGWEB

        > #!/usr/bin/env python

        > #

        > # An example CGI script to use hgweb, edit as necessary

        > 

        > import cgitb, os, sys

        > cgitb.enable()

        > 

        > # sys.path.insert(0, "/path/to/python/lib") # if not a system-wide install

        > from mercurial import hgweb

        > 

        > h = hgweb.hgweb("test", "Empty test repository")

        > h.run()

        > HGWEB

        $ chmod 755 hgweb.cgi

        $ cat >hgweb.config <<HGWEBDIRCONF

        > [paths]

        > test = test

        > HGWEBDIRCONF

        $ cat >hgwebdir.cgi <<HGWEBDIR

        > #!/usr/bin/env python

        > #

        > # An example CGI script to export multiple hgweb repos, edit as necessary

        > 

        > import cgitb, sys

        > cgitb.enable()

        > 

        > # sys.path.insert(0, "/path/to/python/lib") # if not a system-wide install

        > from mercurial import hgweb

        > 

        > # The config file looks like this.  You can have paths to individual

        > # repos, collections of repos in a directory tree, or both.

        > #

        > # [paths]

        > # virtual/path = /real/path

        > # virtual/path = /real/path

        > #

        > # [collections]

        > # /prefix/to/strip/off = /root/of/tree/full/of/repos

        > #

        > # collections example: say directory tree /foo contains repos /foo/bar,

        > # /foo/quux/baz.  Give this config section:

        > #   [collections]

        > #   /foo = /foo

        > # Then repos will list as bar and quux/baz.

        > 

        > # Alternatively you can pass a list of ('virtual/path', '/real/path') tuples

        > # or use a dictionary with entries like 'virtual/path': '/real/path'

        > 

        > h = hgweb.hgwebdir("hgweb.config")

        > h.run()

        > HGWEBDIR

        $ chmod 755 hgwebdir.cgi

        $ . "$TESTDIR/cgienv"

        $ python hgweb.cgi > page1

        $ python hgwebdir.cgi > page2

        $ PATH_INFO="/test/"

        $ PATH_TRANSLATED="/var/something/test.cgi"

        $ REQUEST_URI="/test/test/"

        $ SCRIPT_URI="http://hg.omnifarious.org/test/test/"

        $ SCRIPT_URL="/test/test/"

        $ python hgwebdir.cgi > page3

        $ grep -i error page1 page2 page3

        [1]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#require no-msys # MSYS will translate web paths as if they were file paths

				This tests if CGI files from before d0db3462d568 still work.

				$ hg init test
				$ cat >hgweb.cgi <<HGWEB
				> #!/usr/bin/env python
				> #
				> # An example CGI script to use hgweb, edit as necessary
				>
				> import cgitb, os, sys
				> cgitb.enable()
				>
				> # sys.path.insert(0, "/path/to/python/lib") # if not a system-wide install
				> from mercurial import hgweb
				>
				> h = hgweb.hgweb("test", "Empty test repository")
				> h.run()
				> HGWEB

				$ chmod 755 hgweb.cgi

				$ cat >hgweb.config <<HGWEBDIRCONF
				> [paths]
				> test = test
				> HGWEBDIRCONF

				$ cat >hgwebdir.cgi <<HGWEBDIR
				> #!/usr/bin/env python
				> #
				> # An example CGI script to export multiple hgweb repos, edit as necessary
				>
				> import cgitb, sys
				> cgitb.enable()
				>
				> # sys.path.insert(0, "/path/to/python/lib") # if not a system-wide install
				> from mercurial import hgweb
				>
				> # The config file looks like this. You can have paths to individual
				> # repos, collections of repos in a directory tree, or both.
				> #
				> # [paths]
				> # virtual/path = /real/path
				> # virtual/path = /real/path
				> #
				> # [collections]
				> # /prefix/to/strip/off = /root/of/tree/full/of/repos
				> #
				> # collections example: say directory tree /foo contains repos /foo/bar,
				> # /foo/quux/baz. Give this config section:
				> # [collections]
				> # /foo = /foo
				> # Then repos will list as bar and quux/baz.
				>
				> # Alternatively you can pass a list of ('virtual/path', '/real/path') tuples
				> # or use a dictionary with entries like 'virtual/path': '/real/path'
				>
				> h = hgweb.hgwebdir("hgweb.config")
				> h.run()
				> HGWEBDIR

				$ chmod 755 hgwebdir.cgi

				$ . "$TESTDIR/cgienv"
				$ python hgweb.cgi > page1
				$ python hgwebdir.cgi > page2

				$ PATH_INFO="/test/"
				$ PATH_TRANSLATED="/var/something/test.cgi"
				$ REQUEST_URI="/test/test/"
				$ SCRIPT_URI="http://hg.omnifarious.org/test/test/"
				$ SCRIPT_URL="/test/test/"
				$ python hgwebdir.cgi > page3

				$ grep -i error page1 page2 page3
				[1]