[PATCH] patchbomb: protect email addresses from shell
Floris Bruynooghe
flub at devork.be
Sun Sep 29 22:09:55 UTC 2019
# HG changeset patch
# User Floris Bruynooghe <flub at google.com>
# Date 1569794518 -7200
# Mon Sep 30 00:01:58 2019 +0200
# Node ID 01ba660965efded7d336ecf06270117bf98c6669
# Parent bbf77341a956b3ba40ae87538fcd200b34c5a3e5
patchbomb: protect email addresses from shell
When patchbomb sends email via a sendmail-like program it invokes this
using procutil.popen which passes the string to a shell to be parsed.
To protect any special characters in the email addresses on the
command line from being interpretered by the shell they must be
quoted.
diff --git a/mercurial/mail.py b/mercurial/mail.py
--- a/mercurial/mail.py
+++ b/mercurial/mail.py
@@ -152,7 +152,7 @@ def _smtp(ui):
def _sendmail(ui, sender, recipients, msg):
'''send mail using sendmail.'''
program = ui.config('email', 'method')
- stremail = lambda x: stringutil.email(encoding.strtolocal(x))
+ stremail = lambda x: '\'' + stringutil.email(encoding.strtolocal(x)) + '\''
cmdline = '%s -f %s %s' % (program, stremail(sender),
' '.join(map(stremail, recipients)))
ui.note(_('sending mail: %s\n') % cmdline)
diff --git a/tests/test-patchbomb.t b/tests/test-patchbomb.t
--- a/tests/test-patchbomb.t
+++ b/tests/test-patchbomb.t
@@ -3033,7 +3033,7 @@ single rev
+d
sending [PATCH] test ...
- sending mail: $TESTTMP/t2/pretendmail.sh -f test foo
+ sending mail: $TESTTMP/t2/pretendmail.sh -f 'test' 'foo'
Test pull url header
=================================
More information about the Mercurial-devel
mailing list