[PATCH] patchbomb: protect email addresses from shell

Floris Bruynooghe flub at devork.be
Sun Sep 29 18:09:55 EDT 2019


# HG changeset patch
# User Floris Bruynooghe <flub at google.com>
# Date 1569794518 -7200
#      Mon Sep 30 00:01:58 2019 +0200
# Node ID 01ba660965efded7d336ecf06270117bf98c6669
# Parent  bbf77341a956b3ba40ae87538fcd200b34c5a3e5
patchbomb: protect email addresses from shell

When patchbomb sends email via a sendmail-like program it invokes this
using procutil.popen which passes the string to a shell to be parsed.
To protect any special characters in the email addresses on the
command line from being interpretered by the shell they must be
quoted.

diff --git a/mercurial/mail.py b/mercurial/mail.py
--- a/mercurial/mail.py
+++ b/mercurial/mail.py
@@ -152,7 +152,7 @@ def _smtp(ui):
 def _sendmail(ui, sender, recipients, msg):
     '''send mail using sendmail.'''
     program = ui.config('email', 'method')
-    stremail = lambda x: stringutil.email(encoding.strtolocal(x))
+    stremail = lambda x: '\'' + stringutil.email(encoding.strtolocal(x)) + '\''
     cmdline = '%s -f %s %s' % (program, stremail(sender),
                                ' '.join(map(stremail, recipients)))
     ui.note(_('sending mail: %s\n') % cmdline)
diff --git a/tests/test-patchbomb.t b/tests/test-patchbomb.t
--- a/tests/test-patchbomb.t
+++ b/tests/test-patchbomb.t
@@ -3033,7 +3033,7 @@ single rev
   +d
   
   sending [PATCH] test ...
-  sending mail: $TESTTMP/t2/pretendmail.sh -f test foo
+  sending mail: $TESTTMP/t2/pretendmail.sh -f 'test' 'foo'
 
 Test pull url header
 =================================


More information about the Mercurial-devel mailing list