[PATCH] Check for .hgrc files in ancestor directories above the repository
Peter Arrenbrecht
peter.arrenbrecht at gmail.com
Sat Jan 12 01:40:28 CST 2008
On Jan 11, 2008 10:16 PM, Jesse Glick <jesse.glick at sun.com> wrote:
> Peter Arrenbrecht wrote:
> > But this admittedly starts looking rather complex.
>
> I can't follow it from your description, which is not a great sign. :-\
Thinking about it again, I suspect that is more of a problem with the
description than the idea. So let me try again.
The original proposal was:
Scan for trusted .hgrc files to include in parent dirs up to /.
The security concern was that an attacker could include such an .hgrc
file in a parent repo (in a forest, for instance), thus planting
arbitrary Python code in pre-/post-hooks (right?).
So the new proposal is:
Scan for trusted .hginclude files in parent dirs up to /.
For every such file found:
Read the string it contains.
Sanitize the string so it does not contain path separators.
Ensure the string starts with .hgrc.
Read the file ~/<string> (for example ~/.hgrc-netbeans or
~/.hgrc-something-else), again ensuring it is trusted as for normal
.hgrc files.
This would...
* ensure the only thing an attacker could do is to activate/deactivate
one of your existing .hgrc-xxx files, not modify them.
* not require configuration. Especially as it does not accidentally
pick up unwanted .hgrc files.
* not expose other files in your ~ to attacks trying to get at their
contents through hg config parse error messages, for instance (by
enforcing the .hgrc prefix).
-peo
More information about the Mercurial-devel
mailing list