The mercurial/filemerge.py module does not quote filenames properly when calling external merge tools. The code in question does basically this (revision b131e24e2984): args = _toolstr(ui, tool, "args", '$local $base $other') # ... args = util.interpolate(r'\$', replace, args, lambda s: '"%s"' % util.localpath(s)) That is, filenames are simply surrounded by double quotes instead of properly quoted with e.g. util.shellquote. This obviously breaks if any of the filenames contain double quotes and can be used to inject malicious shell code if you can trick someone who uses external merge tools into pulling and merging from a repository with suitably chosen filenames and changes. There are other places in filemerge.py which use the same insufficient quoting mechanism. For instance the toolpath with the filename of the external tool itself is quoted in the same way.
Why don't we use Popen instead of shell call ?
> Why don't we use Popen instead of shell call ? If your question is "why do we let users specify arbitrary shell commands rather than just executables?" the answer is "the shell is part of what makes UNIX awesome." Seems like we need to take our existing shell quoting code and generalize it so that it can do keyword replacement like we need here and then audit all the users.
Degrading to 'normal' - not a regression.
Fixed by http://selenic.com/repo/hg/rev/9a2cf955db84 Keegan Carruthers-Smith <keegancsmith@fb.com> filemerge: use util.shellquote when calling merge (issue3581) (please test the fix)
Fixed by http://selenic.com/repo/hg/rev/a19046744e4e Keegan Carruthers-Smith <keegancsmith@fb.com> filemerge: only run test for issue3581 on non-windows environments (please test the fix)
Fixed by http://selenic.com/repo/hg/rev/195ad823b5d5 Matt Mackall <mpm@selenic.com> tests: fix test for issue3581 for vfat on Linux (please test the fix)