1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 19:40:55 +01:00
phorge-phorge/src/applications/diffusion/protocol
epriestley a7921a4448 Filter and reject "--config" and "--debugger" flags to Mercurial in any position
Summary:
Ref T13012. These flags can be exploited by attackers to execute code remotely. See T13012 for discussion and context.

Additionally, harden some Mercurial commands where possible (by using additional quoting or embedding arguments in other constructs) so they resist these flags and behave properly when passed arguments with these values.

Test Plan:
  - Added unit tests.
  - Verified "--config" and "--debugger" commands are rejected.
  - Verified more commands now work properly even with branches and files named `--debugger`, although not all of them do.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13012

Differential Revision: https://secure.phabricator.com/D18769
2017-11-10 08:42:07 -08:00
..
__tests__ Filter and reject "--config" and "--debugger" flags to Mercurial in any position 2017-11-10 08:42:07 -08:00
DiffusionCommandEngine.php Fix spelling 2017-10-09 10:48:04 -07:00
DiffusionGitCommandEngine.php Pass SSH wrappers to VCS commands unconditonally, not just if there's an SSH remote 2017-08-10 17:49:55 -07:00
DiffusionMercurialCommandEngine.php Filter and reject "--config" and "--debugger" flags to Mercurial in any position 2017-11-10 08:42:07 -08:00
DiffusionMercurialWireProtocol.php Fix spelling 2017-10-09 10:48:04 -07:00
DiffusionRepositoryClusterEngine.php Fix spelling 2017-10-09 10:48:04 -07:00
DiffusionRepositoryClusterEngineLogInterface.php Make cluster repositories more chatty 2016-04-25 11:20:57 -07:00
DiffusionSubversionCommandEngine.php Pass SSH wrappers to VCS commands unconditonally, not just if there's an SSH remote 2017-08-10 17:49:55 -07:00
DiffusionSubversionWireProtocol.php phtize all the things 2015-05-22 21:16:39 +10:00