stream: double check that self.vfs is *not* in the vfsmap
The stream clone logic allows for writing any content to any file under various
vfs. This is *not* suitable for *vfs*, since writing in `.hg/` directly allow to
modify the configuration and is a great and simple gateway for remote code
execution.
Differential Revision: https://phab.mercurial-scm.org/D10905
--- a/mercurial/streamclone.py Wed Jun 30 14:17:28 2021 +0200
+++ b/mercurial/streamclone.py Thu Jun 24 03:22:03 2021 +0200
@@ -560,6 +560,16 @@
def _emit2(repo, entries, totalfilesize):
"""actually emit the stream bundle"""
vfsmap = _makemap(repo)
+ # we keep repo.vfs out of the on purpose, ther are too many danger there
+ # (eg: .hg/hgrc),
+ #
+ # this assert is duplicated (from _makemap) as author might think this is
+ # fine, while this is really not fine.
+ if repo.vfs in vfsmap.values():
+ raise error.ProgrammingError(
+ b'repo.vfs must not be added to vfsmap for security reasons'
+ )
+
progress = repo.ui.makeprogress(
_(b'bundle'), total=totalfilesize, unit=_(b'bytes')
)
@@ -685,6 +695,15 @@
progress.update(0)
vfsmap = _makemap(repo)
+ # we keep repo.vfs out of the on purpose, ther are too many danger
+ # there (eg: .hg/hgrc),
+ #
+ # this assert is duplicated (from _makemap) as author might think this
+ # is fine, while this is really not fine.
+ if repo.vfs in vfsmap.values():
+ raise error.ProgrammingError(
+ b'repo.vfs must not be added to vfsmap for security reasons'
+ )
with repo.transaction(b'clone'):
ctxs = (vfs.backgroundclosing(repo.ui) for vfs in vfsmap.values())