21078720 problem in UTILITY/HG s11u2-sru
authorDanek Duvall <danek.duvall@oracle.com>
Mon, 01 Jun 2015 15:54:47 -0700
branchs11u2-sru
changeset 4446 b23e280706b1
parent 4444 56cbdcda8e5e
child 4465 48cb092e9916
21078720 problem in UTILITY/HG
components/mercurial/patches/CVE-2014-9462.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mercurial/patches/CVE-2014-9462.patch	Mon Jun 01 15:54:47 2015 -0700
@@ -0,0 +1,37 @@
+changeset:   23678:e3f30068d2eb
+branch:      stable
+parent:      23676:b65a01a4316b
+user:        Matt Mackall <[email protected]>
+date:        Mon Dec 29 13:27:02 2014 -0700
+files:
+   mercurial/sshpeer.py
+description:
+sshpeer: more thorough shell quoting
+
+This fixes an issue spotted by Jesse Hertz.
+
+diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
+--- a/mercurial/sshpeer.py
++++ b/mercurial/sshpeer.py
[email protected]@ -20,6 +20,8 @@ class remotelock(object):
+             self.release()
+ 
+ def _serverquote(s):
++    if not s:
++        return s
+     '''quote a string for the remote shell ... which we assume is sh'''
+     if re.match('[[email protected]%_+=:,./-]*$', s):
+         return s
[email protected]@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
+         sshcmd = self.ui.config("ui", "ssh", "ssh")
+         remotecmd = self.ui.config("ui", "remotecmd", "hg")
+ 
+-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
++        args = util.sshargs(sshcmd,
++                            _serverquote(self.host),
++                            _serverquote(self.user),
++                            _serverquote(self.port))
+ 
+         if create:
+             cmd = '%s %s %s' % (sshcmd, args,
+