mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-15 11:22:40 +01:00
794e185bf9
Summary: Ref T12961. In Mercurial, it's possible to have "subrepos" which may use a different protocol than the main repository. By putting an SSH repository inside an HTTP repository, an attacker can theoretically get us to execute `hg` without overriding `ui.ssh`, then execute code via the SSH hostname attack. As an immediate mitigation to this attack, specify `ui.ssh` unconditionally. Normally, this will have no effect (it will just be ignored). In the specific case of an SSH repo inside an HTTP repo, it will defuse the `ssh` protocol. For good measure and consistency, do the same for Subversion and Git. However, we don't normally maintain working copies for either Subversion or Git so it's unlikely that similar attacks exist there. Test Plan: - Put an SSH subrepo with an attack URI inside an HTTP outer repo in Mercurial. - Ran `hg up` with and without `ui.ssh` specified. - Got dangerous badness without `ui.ssh` and safe `ssh` subprocesses with `ui.ssh`. I'm not yet able to confirm that `hg pull -u -- <uri>` can actually trigger this, but this can't hurt and our SSH wrapper is safer than the native behavior for all Subversion, Git and Mercurial versions released prior to today. Reviewers: chad Reviewed By: chad Subscribers: cspeckmim Maniphest Tasks: T12961 Differential Revision: https://secure.phabricator.com/D18389 |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| DiffusionCommandEngine.php | ||
| DiffusionGitCommandEngine.php | ||
| DiffusionMercurialCommandEngine.php | ||
| DiffusionMercurialWireProtocol.php | ||
| DiffusionRepositoryClusterEngine.php | ||
| DiffusionRepositoryClusterEngineLogInterface.php | ||
| DiffusionSubversionCommandEngine.php | ||
| DiffusionSubversionWireProtocol.php | ||