File CVE-2017-1000116-0009.patch of Package mercurial.5472

# HG changeset patch
# User Sean Farley <sean@farley.io>
# Date 1501544657 25200
#      Mon Jul 31 16:44:17 2017 -0700
# Branch stable
# Node ID 173ecccb9ee7ca4babba86d9e9f8203931a915eb
# Parent  55681baf4cf97c87076ea63c889f6ced868d8dc8
subrepo: add tests for svn rogue ssh urls (SEC)

'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.

When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.

---
 mercurial/subrepo.py |    4 ++++
 mercurial/util.py    |    3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/mercurial/subrepo.py
+++ b/mercurial/subrepo.py
@@ -999,6 +999,10 @@ class svnsubrepo(abstractsubrepo):
         # The revision must be specified at the end of the URL to properly
         # update to a directory which has since been deleted and recreated.
         args.append('%s@%s' % (state[0], state[1]))
+
+        # SEC: check that the ssh url is safe
+        util.checksafessh(state[0])
+
         status, err = self._svncommand(args, failok=True)
         _sanitize(self._ui, self._path)
         if not re.search('Checked out revision [0-9]+.', status):
--- a/mercurial/util.py
+++ b/mercurial/util.py
@@ -1895,7 +1895,8 @@ def checksafessh(path):
     Raises an error.Abort when the url is unsafe.
     """
     path = urllib.unquote(path)
-    if path.startswith('ssh://-') or '|' in path:
+    if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
+        or '|' in path):
         raise error.Abort(_('potentially unsafe url: %r') %
                           (path,))