Mercurial Mercurial > mercurial / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-username-newline.t
author Blake Burkhart <bburky@bburky.com>
Wed, 06 Apr 2016 22:57:46 -0500
branchstable
changeset 29051 a56296f55a5e
parent 12346 3b165c127690
child 33617 5ac845ca059a
permissions -rw-r--r--
convert: pass absolute paths to git (SEC) Fixes CVE-2016-3105 (1/1). Previously, it was possible for the repository path passed to git-ls-remote to be misinterpreted as a URL. Always passing an absolute path to git is a simple way to avoid this.

  $ hg init
  $ touch a

  $ unset HGUSER
  $ echo "[ui]" >> .hg/hgrc
  $ echo "username= foo" >> .hg/hgrc
  $ echo "          bar1" >> .hg/hgrc

  $ hg ci -Am m
  adding a
  abort: username 'foo\nbar1' contains a newline
  
  [255]
  $ rm .hg/hgrc

  $ HGUSER=`(echo foo; echo bar2)` hg ci -Am m
  abort: username 'foo\nbar2' contains a newline
  
  [255]
  $ hg ci -Am m -u "`(echo foo; echo bar3)`"
  transaction abort!
  rollback completed
  abort: username 'foo\nbar3' contains a newline!
  [255]
mercurial