[PATCH V2] patchbomb: protect email addresses from shell

Floris Bruynooghe flub at devork.be
Sat Oct 5 06:12:01 EDT 2019


Thanks for the explanation and merging the fix!

On Thu, 3 Oct 2019, 00:09 Yuya Nishihara, <yuya at tcha.org> wrote:

> On Wed, 02 Oct 2019 21:35:52 +0200, Floris Bruynooghe wrote:
> > On Tue 01 Oct 2019 at 08:15 +0900, Yuya Nishihara wrote:
> > > On Mon, 30 Sep 2019 21:22:17 +0200, Floris Bruynooghe wrote:
> > >> # HG changeset patch
> > >> # User Floris Bruynooghe <flub at google.com>
> > >> # Date 1569794518 -7200
> > >> #      Mon Sep 30 00:01:58 2019 +0200
> > >> # Node ID 7c69ab0787ac4931a5d4568704eb88e86d9c6b83
> > >> # Parent  bbf77341a956b3ba40ae87538fcd200b34c5a3e5
> > >> patchbomb: protect email addresses from shell
> > >
> > >> diff --git a/mercurial/mail.py b/mercurial/mail.py
> > >> --- a/mercurial/mail.py
> > >> +++ b/mercurial/mail.py
> > >> @@ -152,7 +152,8 @@ def _smtp(ui):
> > >>  def _sendmail(ui, sender, recipients, msg):
> > >>      '''send mail using sendmail.'''
> > >>      program = ui.config('email', 'method')
> > >> -    stremail = lambda x: stringutil.email(encoding.strtolocal(x))
> > >> +    stremail = lambda x: \
> > >> +        procutil.quote(stringutil.email(encoding.strtolocal(x)))
> > >
> > > procutil.shellquote() ?
> >
> > Sure, I should have spotted that...
> >
> > > I don't think shlex supports byte strings on Python 3, and maybe it
> wouldn't
> > > respect the cmd.exe rule on Windows.
> >
> > Hmm, I don't think I follow everything correctly.  encoding.strtolocal()
> > returns bytes?
>
> Yes.
>
> > But stringutils.email() uses .find('>'), that is on py3
> > this is b'foo'.find('<') and thus mixes unicode and bytes.
>
> We have code transformer which basically rewrites every '' to b''.
>
> https://www.mercurial-scm.org/wiki/Python3#Source_Rewriting_Module_Importer
>
> Anyway, this patch has already been queued, and I sent a follow-up patch
> mostly
> identical to your V3, thanks.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20191005/718303d1/attachment.html>


More information about the Mercurial-devel mailing list