dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

     1

#require gpg

     2

     3

Test the GPG extension

     4

     5

  $ cat <<EOF >> $HGRCPATH

     6

  > [extensions]

     7

  > gpg=

     8

  > 

     9

  > [gpg]

    10

  > cmd=gpg --no-permission-warning --no-secmem-warning --no-auto-check-trustdb

    11

  > EOF

    12

  $ GNUPGHOME="$TESTTMP/gpg"; export GNUPGHOME

    13

  $ cp -R "$TESTDIR/gpg" "$GNUPGHOME"

    14

    15

Start gpg-agent, which is required by GnuPG v2

    16

    17

#if gpg21

    18

  $ gpg-connect-agent -q --subst /serverpid '/echo ${get serverpid}' /bye \

    19

  > >> $DAEMON_PIDS

    20

#endif

    21

    22

and migrate secret keys

    23

    24

#if gpg2

    25

  $ gpg --no-permission-warning --no-secmem-warning --list-secret-keys \

    26

  > > /dev/null 2>&1

    27

#endif

    28

    29

  $ hg init r

    30

  $ cd r

    31

  $ echo foo > foo

    32

  $ hg ci -Amfoo

    33

  adding foo

    34

    35

  $ hg sigs

    36

    37

  $ HGEDITOR=cat hg sign -e 0

    38

  signing 0:e63c23eaa88a

    39

  Added signature for changeset e63c23eaa88a

    40

    41

    42

  HG: Enter commit message.  Lines beginning with 'HG:' are removed.

    43

  HG: Leave message empty to abort commit.

    44

  HG: --

    45

  HG: user: test

    46

  HG: branch 'default'

    47

  HG: added .hgsigs

    48

    49

  $ hg sigs

    50

  hgtest                             0:e63c23eaa88ae77967edcf4ea194d31167c478b0

    51

    52

  $ hg sigcheck 0

    53

  e63c23eaa88a is signed by:

    54

   hgtest

    55

    56

  $ cd ..