Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
mercurial
hg-CVE-2016-3069-01-convert_add_new_non_clowny_...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hg-CVE-2016-3069-01-convert_add_new_non_clowny_interface.patch of Package mercurial
# HG changeset patch # User Mateusz Kwapich <mitrandir@fb.com> # Date 1458691511 25200 # Tue Mar 22 17:05:11 2016 -0700 # Branch stable # Node ID 197eed39e3d5e9a8cadfd9ba5839eb14cc265caa # Parent 34d43cb85de8d06764039d8868eee19d00fddeab convert: add new, non-clowny interface for shelling out to git (SEC) CVE-2016-3069 (1/5) To avoid shell injection and for the sake of simplicity let's use the common.commandline for calling git. --- hgext/convert/git.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) --- a/hgext/convert/git.py +++ b/hgext/convert/git.py @@ -11,7 +11,7 @@ from mercurial import util, config from mercurial.node import hex, nullid from mercurial.i18n import _ -from common import NoRepo, commit, converter_source, checktool +from common import NoRepo, commit, converter_source, checktool, commandline class submodule(object): def __init__(self, path, node, url): @@ -25,7 +25,7 @@ class submodule(object): def hgsubstate(self): return "%s %s" % (self.node, self.path) -class convert_git(converter_source): +class convert_git(converter_source, commandline): # Windows does not support GIT_DIR= construct while other systems # cannot remove environment variable. Just assume none have # both issues. @@ -56,6 +56,21 @@ class convert_git(converter_source): else: return util.popen('GIT_DIR=%s %s' % (self.path, s), 'rb') + def _gitcmd(self, cmd, *args, **kwargs): + return cmd('--git-dir=%s' % self.path, *args, **kwargs) + + def gitrun0(self, *args, **kwargs): + return self._gitcmd(self.run0, *args, **kwargs) + + def gitrun(self, *args, **kwargs): + return self._gitcmd(self.run, *args, **kwargs) + + def gitrunlines0(self, *args, **kwargs): + return self._gitcmd(self.runlines0, *args, **kwargs) + + def gitrunlines(self, *args, **kwargs): + return self._gitcmd(self.runlines, *args, **kwargs) + def popen_with_stderr(self, s): p = subprocess.Popen(s, shell=True, bufsize=-1, close_fds=util.closefds, @@ -73,6 +88,7 @@ class convert_git(converter_source): def __init__(self, ui, path, rev=None): super(convert_git, self).__init__(ui, path, rev=rev) + commandline.__init__(self, ui, 'git') if os.path.isdir(path + "/.git"): path += "/.git"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor