--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mercurial/patches/CVE-2014-9462.patch Mon Jun 01 15:54:47 2015 -0700
@@ -0,0 +1,37 @@
+changeset: 23678:e3f30068d2eb
+branch: stable
+parent: 23676:b65a01a4316b
+user: Matt Mackall <[email protected]>
+date: Mon Dec 29 13:27:02 2014 -0700
+files:
+ mercurial/sshpeer.py
+description:
+sshpeer: more thorough shell quoting
+
+This fixes an issue spotted by Jesse Hertz.
+
+diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
+--- a/mercurial/sshpeer.py
++++ b/mercurial/sshpeer.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+ self.release()
+
+ def _serverquote(s):
++ if not s:
++ return s
+ '''quote a string for the remote shell ... which we assume is sh'''
+ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+ return s
+@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
+ sshcmd = self.ui.config("ui", "ssh", "ssh")
+ remotecmd = self.ui.config("ui", "remotecmd", "hg")
+
+- args = util.sshargs(sshcmd, self.host, self.user, self.port)
++ args = util.sshargs(sshcmd,
++ _serverquote(self.host),
++ _serverquote(self.user),
++ _serverquote(self.port))
+
+ if create:
+ cmd = '%s %s %s' % (sshcmd, args,
+