[PATCH V2] patchbomb: protect email addresses from shell

Floris Bruynooghe flub at devork.be
Wed Oct 2 19:35:52 UTC 2019


On Tue 01 Oct 2019 at 08:15 +0900, Yuya Nishihara wrote:

> On Mon, 30 Sep 2019 21:22:17 +0200, Floris Bruynooghe wrote:
>> # HG changeset patch
>> # User Floris Bruynooghe <flub at google.com>
>> # Date 1569794518 -7200
>> #      Mon Sep 30 00:01:58 2019 +0200
>> # Node ID 7c69ab0787ac4931a5d4568704eb88e86d9c6b83
>> # Parent  bbf77341a956b3ba40ae87538fcd200b34c5a3e5
>> patchbomb: protect email addresses from shell
>
>> diff --git a/mercurial/mail.py b/mercurial/mail.py
>> --- a/mercurial/mail.py
>> +++ b/mercurial/mail.py
>> @@ -152,7 +152,8 @@ def _smtp(ui):
>>  def _sendmail(ui, sender, recipients, msg):
>>      '''send mail using sendmail.'''
>>      program = ui.config('email', 'method')
>> -    stremail = lambda x: stringutil.email(encoding.strtolocal(x))
>> +    stremail = lambda x: \
>> +        procutil.quote(stringutil.email(encoding.strtolocal(x)))
>
> procutil.shellquote() ?

Sure, I should have spotted that...

> I don't think shlex supports byte strings on Python 3, and maybe it wouldn't
> respect the cmd.exe rule on Windows.

Hmm, I don't think I follow everything correctly.  encoding.strtolocal()
returns bytes?  But stringutils.email() uses .find('>'), that is on py3
this is b'foo'.find('<') and thus mixes unicode and bytes.  AFAIK that
can't work so that means I'm missing something.

It's also far from obvious to me that procutil.shellquote can handle
bytes.  But than they also get %-substituted back into the cmdline.


More information about the Mercurial-devel mailing list