File CVE-2017-1000116-0003.patch of Package mercurial.5472

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1501869603 14400
#      Fri Aug 04 14:00:03 2017 -0400
# Branch stable
# Node ID e10745311406a9c6d2938583028ee2aaf74dd2bd
# Parent  53224b1ffbc2438941e8e50375f532f2603c8f0f
ssh: ban any username@host or host that starts with - (SEC)

This paranoia probably isn't required, but it can't hurt either.

---
 mercurial/posix.py   |    4 ++++
 mercurial/windows.py |    5 +++++
 2 files changed, 9 insertions(+)

--- a/mercurial/posix.py
+++ b/mercurial/posix.py
@@ -8,6 +8,7 @@
 from i18n import _
 import encoding
 import os, sys, errno, stat, getpass, pwd, grp, socket, tempfile, unicodedata
+import error
 
 posixfile = open
 normpath = os.path.normpath
@@ -64,6 +65,9 @@ def parsepatchoutput(output_line):
 def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh'''
     args = user and ("%s@%s" % (user, host)) or host
+    if '-' in args[:2]:
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with -: %s') % args)
     return port and ("%s -p %s" % (args, port)) or args
 
 def isexec(f):
--- a/mercurial/windows.py
+++ b/mercurial/windows.py
@@ -8,6 +8,7 @@
 from i18n import _
 import osutil, encoding
 import errno, msvcrt, os, re, stat, sys, _winreg
+import error
 
 import win32
 executablepath = win32.executablepath
@@ -100,6 +101,10 @@ def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh or Plink'''
     pflag = 'plink' in sshcmd.lower() and '-P' or '-p'
     args = user and ("%s@%s" % (user, host)) or host
+    if args.startswith('-') or args.startswith('/'):
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with - or /: %s') %
+            args)
     return port and ("%s %s %s" % (args, pflag, port)) or args
 
 def setflags(f, l, x):