upstream/mercurial-mirror Files · tests/test-pull.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Mads Kiilerich - - Load All Authors

File last commit:

r26604:a3fcc8e3 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-pull.t
        
                    104 lines
            
             | 2.7 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-pull.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #require serve

        $ hg init test

        $ cd test

        $ echo foo>foo

        $ hg addremove

        adding foo

        $ hg commit -m 1

        $ hg verify

        checking changesets

        checking manifests

        crosschecking files in changesets and manifests

        checking files

        1 files, 1 changesets, 1 total revisions

        $ hg serve -p $HGPORT -d --pid-file=hg.pid

        $ cat hg.pid >> $DAEMON_PIDS

        $ cd ..

        $ hg clone --pull http://foo:bar@localhost:$HGPORT/ copy

        requesting all changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 1 changes to 1 files

        updating to branch default

        1 files updated, 0 files merged, 0 files removed, 0 files unresolved

        $ cd copy

        $ hg verify

        checking changesets

        checking manifests

        crosschecking files in changesets and manifests

        checking files

        1 files, 1 changesets, 1 total revisions

        $ hg co

        0 files updated, 0 files merged, 0 files removed, 0 files unresolved

        $ cat foo

        foo

        $ hg manifest --debug

        2ed2a3912a0b24502043eae84ee4b279c18b90dd 644   foo

        $ hg pull

        pulling from http://foo@localhost:$HGPORT/

        searching for changes

        no changes found

        $ hg rollback --dry-run --verbose

        repository tip rolled back to revision -1 (undo pull: http://foo:***@localhost:$HGPORT/)

      Test pull of non-existing 20 character revision specification, making sure plain ascii identifiers

      not are encoded like a node:

        $ hg pull -r 'xxxxxxxxxxxxxxxxxxxy'

        pulling from http://foo@localhost:$HGPORT/

        abort: unknown revision 'xxxxxxxxxxxxxxxxxxxy'!

        [255]

        $ hg pull -r 'xxxxxxxxxxxxxxxxxx y'

        pulling from http://foo@localhost:$HGPORT/

        abort: unknown revision '7878787878787878787878787878787878782079'!

        [255]

      Issue622: hg init && hg pull -u URL doesn't checkout default branch

        $ cd ..

        $ hg init empty

        $ cd empty

        $ hg pull -u ../test

        pulling from ../test

        requesting all changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 1 changes to 1 files

        1 files updated, 0 files merged, 0 files removed, 0 files unresolved

      Test 'file:' uri handling:

        $ hg pull -q file://../test-does-not-exist

        abort: file:// URLs can only refer to localhost

        [255]

        $ hg pull -q file://../test

        abort: file:// URLs can only refer to localhost

        [255]

        $ hg pull -q file:../test  # no-msys

      It's tricky to make file:// URLs working on every platform with

      regular shell commands.

        $ URL=`$PYTHON -c "import os; print 'file://foobar' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`

        $ hg pull -q "$URL"

        abort: file:// URLs can only refer to localhost

        [255]

        $ URL=`$PYTHON -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`

        $ hg pull -q "$URL"

        $ cd ..

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#require serve

				$ hg init test
				$ cd test

				$ echo foo>foo
				$ hg addremove
				adding foo
				$ hg commit -m 1

				$ hg verify
				checking changesets
				checking manifests
				crosschecking files in changesets and manifests
				checking files
				1 files, 1 changesets, 1 total revisions

				$ hg serve -p $HGPORT -d --pid-file=hg.pid
				$ cat hg.pid >> $DAEMON_PIDS
				$ cd ..

				$ hg clone --pull http://foo:bar@localhost:$HGPORT/ copy
				requesting all changes
				adding changesets
				adding manifests
				adding file changes
				added 1 changesets with 1 changes to 1 files
				updating to branch default
				1 files updated, 0 files merged, 0 files removed, 0 files unresolved

				$ cd copy
				$ hg verify
				checking changesets
				checking manifests
				crosschecking files in changesets and manifests
				checking files
				1 files, 1 changesets, 1 total revisions

				$ hg co
				0 files updated, 0 files merged, 0 files removed, 0 files unresolved
				$ cat foo
				foo

				$ hg manifest --debug
				2ed2a3912a0b24502043eae84ee4b279c18b90dd 644 foo

				$ hg pull
				pulling from http://foo@localhost:$HGPORT/
				searching for changes
				no changes found

				$ hg rollback --dry-run --verbose
				repository tip rolled back to revision -1 (undo pull: http://foo:***@localhost:$HGPORT/)

				Test pull of non-existing 20 character revision specification, making sure plain ascii identifiers
				not are encoded like a node:

				$ hg pull -r 'xxxxxxxxxxxxxxxxxxxy'
				pulling from http://foo@localhost:$HGPORT/
				abort: unknown revision 'xxxxxxxxxxxxxxxxxxxy'!
				[255]
				$ hg pull -r 'xxxxxxxxxxxxxxxxxx y'
				pulling from http://foo@localhost:$HGPORT/
				abort: unknown revision '7878787878787878787878787878787878782079'!
				[255]

				Issue622: hg init && hg pull -u URL doesn't checkout default branch

				$ cd ..
				$ hg init empty
				$ cd empty
				$ hg pull -u ../test
				pulling from ../test
				requesting all changes
				adding changesets
				adding manifests
				adding file changes
				added 1 changesets with 1 changes to 1 files
				1 files updated, 0 files merged, 0 files removed, 0 files unresolved

				Test 'file:' uri handling:

				$ hg pull -q file://../test-does-not-exist
				abort: file:// URLs can only refer to localhost
				[255]

				$ hg pull -q file://../test
				abort: file:// URLs can only refer to localhost
				[255]

				$ hg pull -q file:../test # no-msys

				It's tricky to make file:// URLs working on every platform with
				regular shell commands.

				$ URL=`$PYTHON -c "import os; print 'file://foobar' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`
				$ hg pull -q "$URL"
				abort: file:// URLs can only refer to localhost
				[255]

				$ URL=`$PYTHON -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`
				$ hg pull -q "$URL"

				$ cd ..