email notification setup
Sanjoy Mahajan
sanjoy at mrao.cam.ac.uk
Thu Sep 22 12:19:03 CDT 2005
#!/bin/sh
SUBJECT=`hg log -r $NODE | grep "^summary:" | cut -b 14-`
hg log -vpr $NODE | mail -s "commit: $SUBJECT" commit-list at example.com
Does this allow a scripting attack? If someone makes a nasty reposity
where the summary contains the string `rm -rf .`, then pulling it
merging and commiting will cause trouble: the mail -s command will
execute rm -rf . (bash expands backticks even inside double quotes).
Problems can happen even without malice. For example, if you commit a
change with the summary msg:
Removed spurious `rm -rf .`
then you're in trouble.
-Sanjoy
More information about the Mercurial
mailing list