email notification setup

Sanjoy Mahajan sanjoy at mrao.cam.ac.uk
Thu Sep 22 12:19:03 CDT 2005


  #!/bin/sh
  SUBJECT=`hg log -r $NODE | grep "^summary:" | cut -b 14-`
  hg log -vpr $NODE | mail -s "commit: $SUBJECT" commit-list at example.com

Does this allow a scripting attack?  If someone makes a nasty reposity
where the summary contains the string `rm -rf .`, then pulling it
merging and commiting will cause trouble: the mail -s command will
execute rm -rf . (bash expands backticks even inside double quotes).

Problems can happen even without malice.  For example, if you commit a
change with the summary msg:

  Removed spurious `rm -rf .`

then you're in trouble.

-Sanjoy


More information about the Mercurial mailing list