Overview

File CVE-2017-1000116-0004.patch of Package mercurial.8018

# HG changeset patch
# User Sean Farley <sean@farley.io>
# Date 1501623619 25200
#      Tue Aug 01 14:40:19 2017 -0700
# Branch stable
# Node ID f93975a5ebe8e0e96c8c1220ee6cb2a0e49cc9b9
# Parent  e10745311406a9c6d2938583028ee2aaf74dd2bd
sshpeer: check for safe ssh url (SEC)

Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).

---
 mercurial/sshpeer.py |    2 ++
 1 file changed, 2 insertions(+)

--- a/mercurial/sshpeer.py
+++ b/mercurial/sshpeer.py
@@ -37,6 +37,8 @@ class sshpeer(wireproto.wirepeer):
         if u.scheme != 'ssh' or not u.host or u.path is None:
             self._abort(error.RepoError(_("couldn't parse location %s") % path))
 
+        util.checksafessh(path)
+
         self.user = u.user
         if u.passwd is not None:
             self._abort(error.RepoError(_("password in URL not supported")))
openSUSE Build Service is sponsored by
Places