source.dussan.org Git - redmine.git/commit

author	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
	Thu, 7 Dec 2017 12:19:13 +0000 (12:19 +0000)
committer	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
	Thu, 7 Dec 2017 12:19:13 +0000 (12:19 +0000)
commit	feb8c98e1bca9e0c16dfaf9f2052f11bcfaeabd6
tree	e34ed5574c1a4ee760dee573ec67837fba0187df	tree \| snapshot
parent	ccefedfbf2818086e2d3774ad666481a64219e40	commit \| diff

Merged r17060 from trunk to 3.3-stable (#27516)

mercurial: reject malicious command argument

We've got a security report from the Phabricator team, which basically says
--config and --debugger arguments can be injected anywhere to lead to an
arbitrary command execution.

https://secure.phabricator.com/rPa7921a4448093d00defa8bd18f35b8c8f8bf3314

This is a fundamental issue of the argument parsing rules in Mercurial, which
allows extensions to populate their parsing rules and such extensions can be
loaded by "--config extensions.<name>=". There's a chicken and egg problem.
We're working on hardening the parsing rules, but which won't come in by
default as it would be a behavior change.

This patch adds a verification to reject malicious command arguments as a
last ditch. The subsequent patches will fix the problem in more appropriate
way.

Contributed by Yuya Nishihara.

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@17070 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine/scm/adapters/mercurial_adapter.rb		diff \| blob \| history
test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb		diff \| blob \| history