Traversing symlinks
Sune Foldager
cryo at cyanite.org
Thu May 19 14:25:51 CDT 2011
On 19-05-2011 19:42, Matt Mackall wrote:
> Congratulations, you've just introduced a security hole that allows
> remote attackers to 0wn you on clone.
>
> Just for kicks, I tried my hand at making an evil repo. Here's what
> happens when we weaken the check on line 119 of scmutil.py as you've
> proposed and clone my nasty little repo:
>
> $ hg clone http://localhost:8000/ a2
> requesting all changes
> adding changesets
> adding manifests
> adding file changes
> added 1 changesets with 2 changes to 2 files
> updating to branch default
> *** y00 haz bin 0wnz0red ***
> 2 files updated, 0 files merged, 0 files removed, 0 files unresolved
Fun
> For bonus points, you've also broken checkouts on Windows.
> You may commence wearing a brown paper bag on your head... now.
Bah... this is poisonous and arro... no wait. But seriously, this is
stupid. Let's be civil; no one's trying to steal your candy.
> I'm not going to tell you which of several possible exploit I used just
> yet, as the point of this exercise is to demonstrate that just because
> you can't imagine an attack doesn't mean it doesn't exist.
Well for educational purpose, why don't you divulge your expert
knowledge? :) I, for one, would like to know.
-Sune
More information about the Mercurial-devel
mailing list