File hg-CVE-2019-3902-fix2.patch of Package mercurial

Overview Repositories Revisions Requests Users Attributes Meta

File hg-CVE-2019-3902-fix2.patch of Package mercurial

# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1546952865 -32400
#      Tue Jan 08 22:07:45 2019 +0900
# Branch stable
# Node ID 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
# Parent  31286c9282dfa734e9da085649b7ae5a8ba290ad
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)

It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.

os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.

---
 mercurial/subrepo.py |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/mercurial/subrepo.py
+++ b/mercurial/subrepo.py
@@ -507,7 +507,17 @@ class hgsubrepo(abstractsubrepo):
         if not os.path.exists(os.path.join(root, '.hg')):
             create = True
             util.makedirs(root)
+        # repository constructor does expand variables in path, which is
+        # unsafe since subrepo path might come from untrusted source.
+        if os.path.realpath(util.expandpath(root)) != root:
+            raise error.Abort(_('subrepo path contains illegal component: %s')
+                              % path)
         self._repo = hg.repository(r.baseui, root, create=create)
+        if self._repo.root != root:
+            raise error.Abort('failed to reject unsafe subrepo '
+                              'path: %s (expanded to %s)'
+                              % (root, self._repo.root))
+
         for s, k in [('ui', 'commitsubrepos')]:
             v = r.ui.config(s, k)
             if v:

Places

File hg-CVE-2019-3902-fix2.patch of Package mercurial

Places