[PATCH V2] patchbomb: protect email addresses from shell
flub at devork.be
Sat Oct 5 06:12:01 EDT 2019
Thanks for the explanation and merging the fix!
On Thu, 3 Oct 2019, 00:09 Yuya Nishihara, <yuya at tcha.org> wrote:
> On Wed, 02 Oct 2019 21:35:52 +0200, Floris Bruynooghe wrote:
> > On Tue 01 Oct 2019 at 08:15 +0900, Yuya Nishihara wrote:
> > > On Mon, 30 Sep 2019 21:22:17 +0200, Floris Bruynooghe wrote:
> > >> # HG changeset patch
> > >> # User Floris Bruynooghe <flub at google.com>
> > >> # Date 1569794518 -7200
> > >> # Mon Sep 30 00:01:58 2019 +0200
> > >> # Node ID 7c69ab0787ac4931a5d4568704eb88e86d9c6b83
> > >> # Parent bbf77341a956b3ba40ae87538fcd200b34c5a3e5
> > >> patchbomb: protect email addresses from shell
> > >
> > >> diff --git a/mercurial/mail.py b/mercurial/mail.py
> > >> --- a/mercurial/mail.py
> > >> +++ b/mercurial/mail.py
> > >> @@ -152,7 +152,8 @@ def _smtp(ui):
> > >> def _sendmail(ui, sender, recipients, msg):
> > >> '''send mail using sendmail.'''
> > >> program = ui.config('email', 'method')
> > >> - stremail = lambda x: stringutil.email(encoding.strtolocal(x))
> > >> + stremail = lambda x: \
> > >> + procutil.quote(stringutil.email(encoding.strtolocal(x)))
> > >
> > > procutil.shellquote() ?
> > Sure, I should have spotted that...
> > > I don't think shlex supports byte strings on Python 3, and maybe it
> > > respect the cmd.exe rule on Windows.
> > Hmm, I don't think I follow everything correctly. encoding.strtolocal()
> > returns bytes?
> > But stringutils.email() uses .find('>'), that is on py3
> > this is b'foo'.find('<') and thus mixes unicode and bytes.
> We have code transformer which basically rewrites every '' to b''.
> Anyway, this patch has already been queued, and I sent a follow-up patch
> identical to your V3, thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mercurial-devel