convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
$ hg init
$ touch unknown
$ touch a
$ hg add a
$ hg ci -m "1"
$ touch b
$ hg add b
$ hg ci -m "2"
Should show unknown
$ hg status
? unknown
$ hg revert -r 0 --all
removing b
Should show unknown and b removed
$ hg status
R b
? unknown
Should show a and unknown
$ ls
a
unknown