File CVE-2017-1000116-0011.patch of Package mercurial.11266

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-1000116-0011.patch of Package mercurial.11266

# HG changeset patch
# User Jun Wu <quark@fb.com>
# Date 1501916052 25200
#      Fri Aug 04 23:54:12 2017 -0700
# Branch stable
# Node ID 00a75672a9cbc80d8ea3e1dd00a55b9ccc93c703
# Parent  ca398a50ca00635b2a9e6afa5c552ffd1afa8381
ssh: quote parameters using shellquote (SEC)

This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.

---
 mercurial/posix.py   |    7 +++++--
 mercurial/sshpeer.py |    5 +----
 mercurial/windows.py |    5 ++++-
 3 files changed, 10 insertions(+), 7 deletions(-)

--- a/mercurial/posix.py
+++ b/mercurial/posix.py
@@ -65,10 +65,13 @@ def parsepatchoutput(output_line):
 def sshargs(sshcmd, host, user, port):
     '''Build argument list for ssh'''
     args = user and ("%s@%s" % (user, host)) or host
-    if '-' in args[:2]:
+    if '-' in args[:1]:
         raise error.Abort(
             _('illegal ssh hostname or username starting with -: %s') % args)
-    return port and ("%s -p %s" % (args, port)) or args
+    args = shellquote(args)
+    if port:
+        args = '-p %s %s' % (shellquote(port), args)
+    return args
 
 def isexec(f):
     """check whether a file is executable"""
--- a/mercurial/sshpeer.py
+++ b/mercurial/sshpeer.py
@@ -49,10 +49,7 @@ class sshpeer(wireproto.wirepeer):
         sshcmd = self.ui.config("ui", "ssh", "ssh")
         remotecmd = self.ui.config("ui", "remotecmd", "hg")
 
-        args = util.sshargs(sshcmd,
-                            _serverquote(self.host),
-                            _serverquote(self.user),
-                            _serverquote(self.port))
+        args = util.sshargs(sshcmd, self.host, self.user, self.port)
 
         if create:
             cmd = '%s %s %s' % (sshcmd, args,
--- a/mercurial/windows.py
+++ b/mercurial/windows.py
@@ -105,7 +105,10 @@ def sshargs(sshcmd, host, user, port):
         raise error.Abort(
             _('illegal ssh hostname or username starting with - or /: %s') %
             args)
-    return port and ("%s %s %s" % (args, pflag, port)) or args
+    args = shellquote(args)
+    if port:
+        args = '%s %s %s' % (pflag, shellquote(port), args)
+    return args
 
 def setflags(f, l, x):
     pass

Places

File CVE-2017-1000116-0011.patch of Package mercurial.11266

Places