Boris Feld <boris.feld@octobus.net> [Tue, 01 Aug 2017 17:39:28 +0200] rev 33666
evolution: rename trouble(s) to instability
Rename trouble(s) to instability in all external user-facing output. Only
update user-facing output for the moment, variables names, templates keyword
and potentially configuration would be done in later series.
The renaming is done according to
https://www.mercurial-scm.org/wiki/CEDVocabulary.
Differential Revision: https://phab.mercurial-scm.org/D213
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:23:06 +0530] rev 33665
bundle2: load hookargs from bundleoperation into transaction when started one
When a transaction is started, we must load the hookargs from the
bundleoperation object to the transaction so that they can be used in the
transaction. Also this patch makes sure no more hookargs are added to the
bundleoperation object once the transaction starts.
This is a part of porting fb extension bundle2hooks to core.
Differential Revision: https://phab.mercurial-scm.org/D209
Pulkit Goyal <7895pulkit@gmail.com> [Wed, 02 Aug 2017 03:08:42 +0530] rev 33664
bundle2: add the capability to store hookargs on bundle operation object
There are extensions like pushrebase, pushvars which run hooks on a server
before taking the lock. Since the lock is not taken, transaction is not there,
so the hookargs can't be stored on the transaction. Adding hooksargs to bundle
operation object will help in running hooks before taking the lock.
This is a part of moving fb's extension bundle2hooks to core.
Differential Revision: https://phab.mercurial-scm.org/D208
Mike Hommey <mh@glandium.org> [Thu, 10 Aug 2017 20:47:19 -0700] rev 33663
branchmap: revert c34532365b38 for Python 2.7 compatibility
Old versions of python 2.7 don't like that the second argument to
struct.unpack_from is a bytearray, so the change removing the util.buffer
around that argument in branchmap broke running on older versions of python
2.7.
Differential Revision: https://phab.mercurial-scm.org/D330
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:55 -0400] rev 33662
Added signature for changeset 3fee7f7d2da0
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 18:46:54 -0400] rev 33661
Added tag 4.3.1 for changeset 3fee7f7d2da0
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33660
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33659
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33658
subrepo: add tests for git rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33657
subrepo: add tests for svn rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33656
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33655
push: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33654
pull: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33653
clone: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Tue, 01 Aug 2017 14:40:19 -0700] rev 33652
sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
Augie Fackler <augie@google.com> [Fri, 04 Aug 2017 14:00:03 -0400] rev 33651
ssh: ban any username@host or host that starts with - (SEC)
This paranoia probably isn't required, but it can't hurt either.
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:32:25 -0700] rev 33650
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
Yuya Nishihara <yuya@tcha.org> [Wed, 26 Jul 2017 22:10:15 +0900] rev 33649
pathauditor: disable cache of audited paths by default (issue5628)
The initial attempt was to discard cache when appropriate, but it appears
to be error prone. We had to carefully inspect all places where audit() is
called e.g. without actually updating filesystem, before removing files and
directories, etc.
So, this patch disables the cache of audited paths by default, and enables
it only for the following cases:
- short-lived auditor objects
- repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories
and considered sort of append-only (a file/directory would never be
replaced with a symlink)
There would be more cacheable vfs objects (e.g. mq.queue.opener), but I
decided not to inspect all of them in this patch. We can make them cached
later.
Benchmark result:
- using old clone of http://selenic.com/repo/linux-2.6/ (38319 files)
- on tmpfs
- run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null
- try 4 times and take the last three results
original:
real 7.480 secs (user 1.140+22.760 sys 0.150+1.690)
real 8.010 secs (user 1.070+22.280 sys 0.170+2.120)
real 7.470 secs (user 1.120+22.390 sys 0.120+1.910)
clearcache (the other series):
real 7.680 secs (user 1.120+23.420 sys 0.140+1.970)
real 7.670 secs (user 1.110+23.620 sys 0.130+1.810)
real 7.740 secs (user 1.090+23.510 sys 0.160+1.940)
enable cache only for vfs and svfs (this series):
real 8.730 secs (user 1.500+25.190 sys 0.260+2.260)
real 8.750 secs (user 1.490+25.170 sys 0.250+2.340)
real 9.010 secs (user 1.680+25.340 sys 0.280+2.540)
remove cache function at all (for reference):
real 9.620 secs (user 1.440+27.120 sys 0.250+2.980)
real 9.420 secs (user 1.400+26.940 sys 0.320+3.130)
real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)
Yuya Nishihara <yuya@tcha.org> [Tue, 01 Aug 2017 21:03:25 +0900] rev 33648
tests: show cache of audited paths is never invalidated
Augie Fackler <augie@google.com> [Thu, 10 Aug 2017 14:23:25 -0400] rev 33647
stable: merge heads
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:49 -0400] rev 33646
Added signature for changeset 943c91326b23
Augie Fackler <raf@durin42.com> [Thu, 10 Aug 2017 14:14:48 -0400] rev 33645
Added tag 4.2.3 for changeset 943c91326b23
Yuya Nishihara <yuya@tcha.org> [Mon, 07 Aug 2017 22:22:28 +0900] rev 33644
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
Jun Wu <quark@fb.com> [Fri, 04 Aug 2017 23:54:12 -0700] rev 33643
ssh: quote parameters using shellquote (SEC)
This patch uses shellquote to quote ssh parameters more strictly to avoid
shell injection.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:55:11 -0700] rev 33642
subrepo: add tests for git rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:44:17 -0700] rev 33641
subrepo: add tests for svn rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 16:04:44 -0700] rev 33640
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
Sean Farley <sean@farley.io> [Mon, 31 Jul 2017 14:40:28 -0700] rev 33639
push: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:47:32 -0700] rev 33638
pull: add tests for unsafe ssh url (SEC)
Sean Farley <sean@farley.io> [Fri, 28 Jul 2017 16:36:36 -0700] rev 33637
clone: add tests for unsafe ssh url (SEC)