File hg-CVE-2016-3105.patch of Package mercurial.5472

Overview Repositories Revisions Requests Users Attributes Meta

File hg-CVE-2016-3105.patch of Package mercurial.5472

# HG changeset patch
# User Blake Burkhart <bburky@bburky.com>
# Date 1460001466 18000
#      Wed Apr 06 22:57:46 2016 -0500
# Branch stable
# Node ID a56296f55a5e1038ea5016dace2076b693c28a56
# Parent  27ad6cae7785b59f918f5e3ed33a2f1e88a60d4f
convert: pass absolute paths to git (SEC)

Fixes CVE-2016-3105 (1/1).

Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.

Always passing an absolute path to git is a simple way to avoid this.

---
 hgext/convert/git.py     |    4 ++++
 tests/test-convert-git.t |   20 +++++++++++++++++++-
 tests/test-convert.t     |    2 +-
 3 files changed, 24 insertions(+), 2 deletions(-)

--- a/hgext/convert/git.py
+++ b/hgext/convert/git.py
@@ -50,6 +50,10 @@ class convert_git(converter_source, comm
         super(convert_git, self).__init__(ui, path, rev=rev)
         commandline.__init__(self, ui, 'git')
 
+        # Pass an absolute path to git to prevent from ever being interpreted
+        # as a URL
+        path = os.path.abspath(path)
+
         if os.path.isdir(path + "/.git"):
             path += "/.git"
         if not os.path.exists(path + "/objects"):
--- a/tests/test-convert-git.t
+++ b/tests/test-convert-git.t
@@ -421,7 +421,7 @@ damage git repository by renaming a comm
   $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd
   $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp
   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'
-  abort: cannot retrieve number of commits in git-repo4/.git
+  abort: cannot retrieve number of commits in $TESTTMP/git-repo4/.git
   $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ
 damage git repository by renaming a blob object
 
@@ -453,3 +453,21 @@ test for escaping the repo name (CVE-201
   updating bookmarks
   $ test -f COMMAND-INJECTION
   [1]
+
+test for safely passing paths to git (CVE-2016-3105)
+
+  $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
+  Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/
+  $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
+  $ git commit -q --allow-empty -m 'empty'
+  $ cd ..
+  $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
+  initializing destination converted-git-ext repository
+  scanning source...
+  sorting...
+  converting...
+  0 empty
+  updating bookmarks
+  $ test -f GIT-EXT-COMMAND-INJECTION
+  [1]
+
--- a/tests/test-convert.t
+++ b/tests/test-convert.t
@@ -358,7 +358,7 @@ running from a devel copy, not a temp in
   assuming destination emptydir-hg
   initializing destination emptydir-hg repository
   emptydir does not look like a CVS checkout
-  emptydir does not look like a Git repository
+  $TESTTMP/emptydir does not look like a Git repository
   emptydir does not look like a Subversion repository
   emptydir is not a local Mercurial repository
   emptydir does not look like a darcs repository

Places

File hg-CVE-2016-3105.patch of Package mercurial.5472

Places