Traversing symlinks

Martin Geisler mg at
Thu May 19 07:17:19 CDT 2011

Matt Mackall <mpm at> writes:

> On Mon, 2011-05-16 at 19:57 +0200, Martin Geisler wrote:
>> Hi guys,
>> Way back in 2007, this changeset was added:
>> It makes Mercurial abort when it encounters a symlink on the way to a
>> file -- even when the symlink points inside the repository:
>>   $ ln -s contrib extra
>>   $ hg status extra/mq.el
>>   abort: path 'extra/mq.el' traverses symbolic link 'extra'
>> This seems a tad too restrictive to me,
> Ok, do tell, what have you lost by not being able to ask for the
> status of a path you can't commit?

Oh, you must have misunderstood me -- after the change you would be able
to do

  $ hg commit extra/mq.el

just fine.

>>  and Bryan did also flag this in the test and commit message.
>> Would anybody object to me lifting this restriction?
> Yes.
> Most developers have only the vaguest idea of what the security
> implications of symlinks are, and simply saying "this seems a tad too
> restrictive" does not instill confidence that you've spent the time to
> become an expert on this obscure and complicated subject.

Okay. I can only try to guess what you mean with this. I do know about
symlink attacks where you exploit a window between checking for a file
and actually creating a file: if someone inserts a symlink in place of
the file, then you will end up operating on a completely different file.

Is that the kind of security implications you're thinking of?

Exploiting this depends on being able to write to the directory in the
first place, and so it does not apply to our case.

Martin Geisler

aragost Trifork
Professional Mercurial support

More information about the Mercurial-devel mailing list