[PATCH] Check for .hgrc files in ancestor directories above the repository
Peter Arrenbrecht
peter.arrenbrecht at gmail.com
Fri Jan 11 13:55:13 CST 2008
On Jan 11, 2008 7:34 PM, Jesse Glick <jesse.glick at sun.com> wrote:
> Peter Arrenbrecht wrote:
> > if people start clamouring for included hgrcs from parent repos, we
> > can always add the option
>
> I can't see how this could be supported without being a security risk.
> Even if you ask to turn it on, you are exposing yourself to the threat
> of loading config files edited by someone else. Unless you really really
> trust the people who can push to this repo, that is a big hole.
True. I was thinking that the most likely case would be, as Maxim
said, a managed home. I would not expect anyone to be allowed to push
there.
But you're right. Since it seems we have to configure the include
paths globally in ~/.hgrc, one may well have a relative path in there
for one repo that will inadvertently expose another repo.
On the other hand, if the parent scan would only look for .hginclude
files which then contain a name (and name only, no path) of the actual
include file, which is *always* taken to be in ~/, then one could not
compromise the includes unless ~/ is not secure. Like
cd ~/dev/netbeans
echo ".hgrc-netbeans" > .hginclude
cd ~/dev/hg
echo ".hgrc-hg" > .hginclude
and then have files
~/.hgrc-netbeans
~/.hgrc-hg
So the only harm your attack could do is to activate another of the
existing .hgrc-xxx files, but not to plant arbitrary hooks in there.
But this admittedly starts looking rather complex. Thoughts?
-peo
More information about the Mercurial-devel
mailing list