File CVE-2017-1000116-0011.patch of Package mercurial.11266
# HG changeset patch
# User Jun Wu <quark@fb.com>
# Date 1501916052 25200
# Fri Aug 04 23:54:12 2017 -0700
# Branch stable
# Node ID 00a75672a9cbc80d8ea3e1dd00a55b9ccc93c703
# Parent ca398a50ca00635b2a9e6afa5c552ffd1afa8381
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
---
mercurial/posix.py | 7 +++++--
mercurial/sshpeer.py | 5 +----
mercurial/windows.py | 5 ++++-
3 files changed, 10 insertions(+), 7 deletions(-)
--- a/mercurial/posix.py
+++ b/mercurial/posix.py
@@ -65,10 +65,13 @@ def parsepatchoutput(output_line):
def sshargs(sshcmd, host, user, port):
'''Build argument list for ssh'''
args = user and ("%s@%s" % (user, host)) or host
- if '-' in args[:2]:
+ if '-' in args[:1]:
raise error.Abort(
_('illegal ssh hostname or username starting with -: %s') % args)
- return port and ("%s -p %s" % (args, port)) or args
+ args = shellquote(args)
+ if port:
+ args = '-p %s %s' % (shellquote(port), args)
+ return args
def isexec(f):
"""check whether a file is executable"""
--- a/mercurial/sshpeer.py
+++ b/mercurial/sshpeer.py
@@ -49,10 +49,7 @@ class sshpeer(wireproto.wirepeer):
sshcmd = self.ui.config("ui", "ssh", "ssh")
remotecmd = self.ui.config("ui", "remotecmd", "hg")
- args = util.sshargs(sshcmd,
- _serverquote(self.host),
- _serverquote(self.user),
- _serverquote(self.port))
+ args = util.sshargs(sshcmd, self.host, self.user, self.port)
if create:
cmd = '%s %s %s' % (sshcmd, args,
--- a/mercurial/windows.py
+++ b/mercurial/windows.py
@@ -105,7 +105,10 @@ def sshargs(sshcmd, host, user, port):
raise error.Abort(
_('illegal ssh hostname or username starting with - or /: %s') %
args)
- return port and ("%s %s %s" % (args, pflag, port)) or args
+ args = shellquote(args)
+ if port:
+ args = '%s %s %s' % (pflag, shellquote(port), args)
+ return args
def setflags(f, l, x):
pass
