File hg-CVE-2019-3902-fix3.patch of Package mercurial.38124

# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1546953576 -32400
#      Tue Jan 08 22:19:36 2019 +0900
# Branch stable
# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10
# Parent  6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
subrepo: reject potentially unsafe subrepo paths (BC) (SEC)

In addition to the previous patch, this prohibits '~', '$nonexistent', etc.
for any subrepo types. I think this is safer, and real-world subrepos wouldn't
use such (local) paths.

---
 mercurial/subrepo.py       |    4 ++++
 tests/test-audit-subrepo.t |   33 ++++++++++++++++++++++++++-------
 2 files changed, 30 insertions(+), 7 deletions(-)

Index: mercurial-4.5.2/mercurial/subrepo.py
===================================================================
--- mercurial-4.5.2.orig/mercurial/subrepo.py	2025-03-20 19:39:18.750386012 +0100
+++ mercurial-4.5.2/mercurial/subrepo.py	2025-03-20 19:39:21.119195687 +0100
@@ -445,6 +445,10 @@
                 vfs.unlink(vfs.reljoin(dirname, f))
 
 def _auditsubrepopath(repo, path):
+    # sanity check for potentially unsafe paths such as '~' and '$FOO'
+    if path.startswith('~') or '$' in path or util.expandpath(path) != path:
+        raise error.Abort(_('subrepo path contains illegal component: %s')
+                          % path)
     # auditor doesn't check if the path itself is a symlink
     pathutil.pathauditor(repo.root)(path)
     if repo.wvfs.islink(path):
Index: mercurial-4.5.2/tests/test-audit-subrepo.t
===================================================================
--- mercurial-4.5.2.orig/tests/test-audit-subrepo.t	2025-03-20 19:39:18.750964262 +0100
+++ mercurial-4.5.2/tests/test-audit-subrepo.t	2025-03-20 19:39:21.119648971 +0100
@@ -279,8 +279,9 @@
 on clone (and update) with various substitutions:
 
   $ hg clone -q main main2
+  abort: subrepo path contains illegal component: $SUB
+  [255]
   $ ls main2
-  $SUB
 
   $ SUB=sub1 hg clone -q main main3
   abort: subrepo path contains illegal component: $SUB
@@ -363,8 +364,9 @@
 Test tilde
 ----------
 
-The leading tilde may be expanded to $HOME, but it's a valid subrepo path.
-However, we might want to prohibit it as it seems potentially unsafe.
+The leading tilde may be expanded to $HOME, but it can be a valid subrepo
+path in theory. However, we want to prohibit it as there might be unsafe
+handling of such paths.
 
 on commit:
 
@@ -373,15 +375,32 @@
   $ hg init './~'
   $ echo '~ = ~' >> .hgsub
   $ hg ci -qAm 'add subrepo "~"'
-  $ ls
-  ~
+  abort: subrepo path contains illegal component: ~
+  [255]
+
+prepare tampered repo (including the commit above):
+
+  $ hg import --bypass -qm 'add subrepo "~"' - <<'EOF'
+  > diff --git a/.hgsub b/.hgsub
+  > new file mode 100644
+  > --- /dev/null
+  > +++ b/.hgsub
+  > @@ -0,0 +1,1 @@
+  > +~ = ~
+  > diff --git a/.hgsubstate b/.hgsubstate
+  > new file mode 100644
+  > --- /dev/null
+  > +++ b/.hgsubstate
+  > @@ -0,0 +1,1 @@
+  > +0000000000000000000000000000000000000000 ~
+  > EOF
   $ cd ..
 
 on clone (and update):
 
   $ hg clone -q tilde tilde2
-  $ ls tilde2
-  ~
+  abort: subrepo path contains illegal component: ~
+  [255]
 
 Test direct symlink traversal
 -----------------------------