[PATCH 1 of 2] audit: reject files called .hg (issue 1450)

Peter Arrenbrecht peter.arrenbrecht at gmail.com
Fri Jan 9 01:13:29 CST 2009


# HG changeset patch
# User Peter Arrenbrecht <peter.arrenbrecht at gmail.com>
# Date 1231142531 -3600
# Node ID 603ac785a1b0c5fbed3d7ad770eae56e54f6882c
# Parent 758a5871fd68b7201125f4757a1c1e41ee368a39
audit: reject files called .hg (issue 1450)

diff --git a/mercurial/util.py b/mercurial/util.py
--- a/mercurial/util.py
+++ b/mercurial/util.py
@@ -819,7 +819,7 @@
       raise Abort(_("path contains illegal component: %s") % path)
     if '.hg' in path:
       for p in '.hg', '.hg.':
-        if p in parts[1:-1]:
+        if p in parts:
           pos = parts.index(p)
           base = os.path.join(*parts[:pos])
           raise Abort(_('path %r is inside repo %r') % (path, base))
diff --git a/tests/tampered.hg b/tests/tampered.hg
index 92705405302e8d089822fe0a3e065633351435fe..d73abb19092404ceea2e3130e840d1f805e92df7
GIT binary patch
literal 1400
zc$@)v1&8`bM=>x$T4*^jL0KkKSyDq|A^-qRfB)bA?*H$<|NZX2`~N at h|NVFSz20x%
z{?vZ|i?{bX-}TT0I`-JWEW->Sl#wLzY7bGNr>JN&0BNH at 8U|_`O-H0XN9uzkO#?$C
z2t72OpbY>320#D+$TS#+)byUGr~~wo0B9Ki4Kx}u001%rO$JQ^AOHXZBN2fNMt}jJ
zXf!kcXaS}{pa21&44@{BG at gwKs+&=uX_G+F>KPdt4FCp!&;SO20j7^rKpFr8Pf?%%
z05kvwfB*piXc+(vG#WAh05Stj22BGX0009c5rGUwfB~RrG&BHc0j5Eq00E#0DG;ZU
zWWXjs!edj?G|7-OGz|uffB+h302%<u22B6}X`pBWA)pNgfY3Ap3AHC9JGG}@rtvvn
zg$YWQ)~R8v%`RkxdYQ&wqEy;sjb!iXxHdyAHUvbhfl}I<pKY{k2xO3hBQd;nB!ty1
zCA28i?u2Tk3R0DEX#N9*NXM*lN-&5LLLgZJ+8P20i2*9a1Y->=8}l$7Z<a#A8R72{
z>bzcnA(6)Q3}9jcNJdHIIOO$rV^Xh9D5{#TqPs<FP>@-5enF6hQ+0y)9U&hGKG4B+
z!%!pyFRxtid!aEfNJz7P44uf$Ovk!()7Gvm8)Yj}Z#n<3$gM?i`1ir2D#)giov8>q
zV4erabc%6&=mEL9v2`+ns+=>e&@y^$$Wfw83${jy+gGLz at y#O49)zGV7?6T|_~y3L
zOl`J?#wkfpDGc-&90~y30pEN4pqK*JWZ{50EzUFr(A3YA$<(|vdplZ+`gwGl*CzU{
zu at RIv_E{P1M8u_l$y6*CN%~xQ+%N_J=z*{lHH+9DrBR8H1=14}7JxA|h$4CHN`SEf
znPO!%HBIC4fvPoB_xDSscf!<z7A2tnfNDT>)84CL5M>5j3<E1{aW*zlQjnXpc_cg>
za|-ORnd_y9eT|G;T``$puBZ1TP{}4UJ=FP`h*02fZAy3&Fqv|uYwd8Q4-p0|wXC6&
zp at wBiZv_ws+5yXq=|m|?V at NdArUK?dcQO+L7K#w{g6dmz8LgEKty7^<<Z|>n;B$R$
zV=q<@ltw-Q6|yS61NIgOuX>8Ok!@vguHycvf(jcDr=be~v=$TLr9sOSS`j&Y-8FI*
zR;XA9j3Zil-?~D~C7}feKV73k&=dBdV=c{<lU(O4Eixpgc5&d3Bb6Szxwp2(mUlSy
zqV3QZZLD#p>$T`j#BegSWJHbtjtM`k;ru!@tftG73Q1NP%kGG|Av;KrhPW$EHY5gQ
zQZqbc?2-Ysmc{aGWpx>lelQ#y=TsIz$iM~55f-5u`J4_XsnMzUlQokAHL-5|bwBPD
zzVKrBRVFJP#HTen9uy6TtQ8I{ZpZ{39-X4GjW>fRgIp|fm<|GkZQNX(Y*chOg0X?*
z=0}Jqf)KuiFgOT_k_pn1V8#Svnx3q&u-DWQ0QnbT;PBA79fS+ew}lNSV)Ft)gCR*n
zy$I-pbRk5Ojww*a0wY+*CDclMOc8D^Kal8o#RfU92CBVvy2lV^;2On!A%f`Oj+)!G
zTH at K@rO}*4oe+D3*O6!&KG0D<iSiF6bA1(jJm55~1{TkRk{r+AQUj}Z_(vHwZ2mlJ
z<%mP?xCc6<A_Exznw;4K`mnHqhU_m<Cs2GF*;^qf(V76B3=lC{!KjgT-J1EJj*6+4
z83pzsOZq}6VsQvOYxhE)x3~3(guqVSq|oaG+Tj|74Dd=%b|fm0iX>p44iy+$hBQCc
zL2YGFE{Y$8j%Xoe$pF;IPm3X-6|~4aeh<K_u at tbjn&dwR%e7n*Q>cEA_`8xR!i0j7
G8yOI!LSNqi

diff --git a/tests/test-audit-path b/tests/test-audit-path
--- a/tests/test-audit-path
+++ b/tests/test-audit-path
@@ -45,4 +45,8 @@
 hg manifest -r4
 hg update -Cr4 2>&1 | sed -e "s|$HGTMP|[HGTMP]|"
 
+echo % attack a/.hg/hgrc via symlink
+hg manifest -r5
+hg update -Cr5
+
 exit 0
diff --git a/tests/test-audit-path.out b/tests/test-audit-path.out
--- a/tests/test-audit-path.out
+++ b/tests/test-audit-path.out
@@ -10,7 +10,7 @@
 adding changesets
 adding manifests
 adding file changes
-added 5 changesets with 6 changes to 6 files (+4 heads)
+added 6 changesets with 8 changes to 8 files (+5 heads)
 (run 'hg heads' to see heads, 'hg merge' to merge)
 % attack .hg/test
 .hg/test
@@ -28,3 +28,7 @@
 % attack /tmp/test
 /tmp/test
 abort: No such file or directory: [HGTMP]/test-audit-path/target//tmp/test
+% attack a/.hg/hgrc via symlink
+a/.hg
+a/.hg0/hgrc
+abort: path 'a/.hg' is inside repo 'a'


More information about the Mercurial-devel mailing list