File hg-CVE-2016-3069-05-convert_test_for_shell_injection.patch of Package mercurial.4928
# HG changeset patch
# User Mateusz Kwapich <mitrandir@fb.com>
# Date 1458692847 25200
# Tue Mar 22 17:27:27 2016 -0700
# Branch stable
# Node ID ae279d4a19e9683214cbd1fe8298cf0b50571432
# Parent 80cac1de6aea89f9d068abb09b0ea58c70bd7130
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
---
tests/test-convert-git.t | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/tests/test-convert-git.t
+++ b/tests/test-convert-git.t
@@ -436,3 +436,20 @@ damage git repository by renaming a tree
$ mv git-repo4/.git/objects/$TREE_OBJ git-repo4/.git/objects/$TREE_OBJ.tmp
$ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'
abort: cannot read changes in 1c0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd
+
+test for escaping the repo name (CVE-2016-3069)
+
+ $ git init '`echo pwned >COMMAND-INJECTION`'
+ Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/
+ $ cd '`echo pwned >COMMAND-INJECTION`'
+ $ git commit -q --allow-empty -m 'empty'
+ $ cd ..
+ $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted'
+ initializing destination converted repository
+ scanning source...
+ sorting...
+ converting...
+ 0 empty
+ updating bookmarks
+ $ test -f COMMAND-INJECTION
+ [1]