1790 |
1790 |
1791 $ cd .. |
1791 $ cd .. |
1792 |
1792 |
1793 test for ssh exploit 2017-07-25 |
1793 test for ssh exploit 2017-07-25 |
1794 |
1794 |
|
1795 $ cat >> $HGRCPATH << EOF |
|
1796 > [ui] |
|
1797 > ssh = sh -c "read l; read l; read l" |
|
1798 > EOF |
|
1799 |
1795 $ hg init malicious-proxycommand |
1800 $ hg init malicious-proxycommand |
1796 $ cd malicious-proxycommand |
1801 $ cd malicious-proxycommand |
1797 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
1802 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
1798 $ hg init s |
1803 $ hg init s |
1799 $ cd s |
1804 $ cd s |
1823 [255] |
1828 [255] |
1824 |
1829 |
1825 also check for a pipe |
1830 also check for a pipe |
1826 |
1831 |
1827 $ cd malicious-proxycommand |
1832 $ cd malicious-proxycommand |
1828 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub |
1833 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub |
1829 $ hg ci -m 'change url to pipe' |
1834 $ hg ci -m 'change url to pipe' |
1830 $ cd .. |
1835 $ cd .. |
1831 $ rm -r malicious-proxycommand-clone |
1836 $ rm -r malicious-proxycommand-clone |
1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1837 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1833 updating to branch default |
1838 updating to branch default |
1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") |
1839 abort: no suitable response from remote hg! |
1835 [255] |
1840 [255] |
|
1841 $ [ ! -f owned ] || echo 'you got owned' |
1836 |
1842 |
1837 also check that a percent encoded '|' (%7C) doesn't work |
1843 also check that a percent encoded '|' (%7C) doesn't work |
1838 |
1844 |
1839 $ cd malicious-proxycommand |
1845 $ cd malicious-proxycommand |
1840 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub |
1846 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub |
1841 $ hg ci -m 'change url to percent encoded pipe' |
1847 $ hg ci -m 'change url to percent encoded pipe' |
1842 $ cd .. |
1848 $ cd .. |
1843 $ rm -r malicious-proxycommand-clone |
1849 $ rm -r malicious-proxycommand-clone |
1844 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1850 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1845 updating to branch default |
1851 updating to branch default |
1846 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") |
1852 abort: no suitable response from remote hg! |
1847 [255] |
1853 [255] |
|
1854 $ [ ! -f owned ] || echo 'you got owned' |
1848 |
1855 |
1849 and bad usernames: |
1856 and bad usernames: |
1850 $ cd malicious-proxycommand |
1857 $ cd malicious-proxycommand |
1851 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
1858 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
1852 $ hg ci -m 'owned username' |
1859 $ hg ci -m 'owned username' |