# HG changeset patch
# User Danek Duvall <danek.duvall@oracle.com>
# Date 1433199287 25200
# Node ID b23e280706b1da57823a0683f1725d96a9cc5a5d
# Parent  56cbdcda8e5e6b622cf44e5313e124c5304eddcc
21078720 problem in UTILITY/HG

diff -r 56cbdcda8e5e -r b23e280706b1 components/mercurial/patches/CVE-2014-9462.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mercurial/patches/CVE-2014-9462.patch	Mon Jun 01 15:54:47 2015 -0700
@@ -0,0 +1,37 @@
+changeset:   23678:e3f30068d2eb
+branch:      stable
+parent:      23676:b65a01a4316b
+user:        Matt Mackall <mpm@selenic.com>
+date:        Mon Dec 29 13:27:02 2014 -0700
+files:
+   mercurial/sshpeer.py
+description:
+sshpeer: more thorough shell quoting
+
+This fixes an issue spotted by Jesse Hertz.
+
+diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
+--- a/mercurial/sshpeer.py
++++ b/mercurial/sshpeer.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+             self.release()
+ 
+ def _serverquote(s):
++    if not s:
++        return s
+     '''quote a string for the remote shell ... which we assume is sh'''
+     if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+         return s
+@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
+         sshcmd = self.ui.config("ui", "ssh", "ssh")
+         remotecmd = self.ui.config("ui", "remotecmd", "hg")
+ 
+-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
++        args = util.sshargs(sshcmd,
++                            _serverquote(self.host),
++                            _serverquote(self.user),
++                            _serverquote(self.port))
+ 
+         if create:
+             cmd = '%s %s %s' % (sshcmd, args,
+