File mercurial-CVE-2014-9462.patch of Package mercurial.5472

# HG changeset patch
# User Matt Mackall <mpm@selenic.com>
# Date 1419884822 21600
# Node ID e3f30068d2ebdeb549ea0cd9fec76df2e6ef40bb
# Parent  b65a01a4316baabe80aa3af585feaabcf0a7b537
sshpeer: more thorough shell quoting

This fixes an issue spotted by Jesse Hertz.

---
 mercurial/sshpeer.py |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/mercurial/sshpeer.py
+++ b/mercurial/sshpeer.py
@@ -20,6 +20,8 @@ class remotelock(object):
             self.release()
 
 def _serverquote(s):
+    if not s:
+        return s
     '''quote a string for the remote shell ... which we assume is sh'''
     if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
         return s
@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
         sshcmd = self.ui.config("ui", "ssh", "ssh")
         remotecmd = self.ui.config("ui", "remotecmd", "hg")
 
-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
+        args = util.sshargs(sshcmd,
+                            _serverquote(self.host),
+                            _serverquote(self.user),
+                            _serverquote(self.port))
 
         if create:
             cmd = '%s %s %s' % (sshcmd, args,