/[packages]/updates/5/mercurial/current/SOURCES/hg-subrepo-bsc1071715-fix05.patch
ViewVC logotype

Contents of /updates/5/mercurial/current/SOURCES/hg-subrepo-bsc1071715-fix05.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1186276 - (show annotations) (download)
Thu Dec 28 16:04:19 2017 UTC (6 years, 3 months ago) by luigiwalser
File size: 3625 byte(s)
rediff patches from opensuse to fix CVE-2017-17458
1 # HG changeset patch
2 # User Yuya Nishihara <yuya@tcha.org>
3 # Date 1509886302 -32400
4 # Sun Nov 05 21:51:42 2017 +0900
5 # Branch stable
6 # Node ID 846942fd6d157a6e55783ebf2cf3fccf8cd9528b
7 # Parent 828cf35f1de6b5d8512fc332ad194a79592b0d04
8 subrepo: disable git and svn subrepos by default (BC) (SEC)
9
10 We have a security issue with git subrepos. I'm not sure if svn subrepo is
11 vulnerable, but it seems not 100% safe to allow writing arbitrary data into
12 a metadata directory. So for now, only hg subrepo is enabled by default.
13
14 Maybe we should improve the help to describe why git/svn subrepos are
15 disabled.
16
17 ---
18 mercurial/help/config.txt | 2 +-
19 mercurial/subrepo.py | 2 +-
20 tests/test-convert-git.t | 4 ++++
21 tests/test-mq-subrepo-svn.t | 2 ++
22 tests/test-subrepo-git.t | 16 ++++++++++++++++
23 tests/test-subrepo-svn.t | 15 +++++++++++++++
24 6 files changed, 39 insertions(+), 2 deletions(-)
25
26 --- a/mercurial/help/config.txt
27 +++ b/mercurial/help/config.txt
28 @@ -1500,7 +1500,7 @@ subrepositories feature. See also :hg:`h
29
30 When disallowed, any commands including :hg:`update` will fail if
31 subrepositories are involved.
32 - (default: `hg, git, svn`)
33 + (default: `hg`)
34
35 ``trusted``
36 -----------
37 --- a/mercurial/subrepo.py
38 +++ b/mercurial/subrepo.py
39 @@ -347,7 +347,7 @@ def _auditsubrepopath(repo, path):
40 raise util.Abort(_("subrepo '%s' traverses symbolic link") % path)
41
42 def _checktype(ui, kind):
43 - if kind not in ui.configlist('subrepos', 'allowed', ['hg', 'git', 'svn']):
44 + if kind not in ui.configlist('subrepos', 'allowed', ['hg']):
45 raise util.Abort(_("subrepo type %s not allowed") % kind,
46 hint=_("see 'hg help config.subrepos' for details"))
47 if kind not in types:
48 --- a/tests/test-convert-git.t
49 +++ b/tests/test-convert-git.t
50 @@ -6,6 +6,10 @@
51 $ echo "autocrlf = false" >> $HOME/.gitconfig
52 $ echo "[extensions]" >> $HGRCPATH
53 $ echo "convert=" >> $HGRCPATH
54 + $ cat >> $HGRCPATH <<EOF
55 + > [subrepos]
56 + > allowed = hg, git
57 + > EOF
58 $ GIT_AUTHOR_NAME='test'; export GIT_AUTHOR_NAME
59 $ GIT_AUTHOR_EMAIL='test@example.org'; export GIT_AUTHOR_EMAIL
60 $ GIT_AUTHOR_DATE="2007-01-01 00:00:00 +0000"; export GIT_AUTHOR_DATE
61 --- a/tests/test-mq-subrepo-svn.t
62 +++ b/tests/test-mq-subrepo-svn.t
63 @@ -4,6 +4,8 @@
64 $ echo "mq=" >> $HGRCPATH
65 $ echo "[diff]" >> $HGRCPATH
66 $ echo "nodates=1" >> $HGRCPATH
67 + $ echo "[subrepos]" >> $HGRCPATH
68 + $ echo "allowed = hg, svn" >> $HGRCPATH
69
70 fn to create new repository, and cd into it
71 $ mkrepo() {
72 --- a/tests/test-subrepo-git.t
73 +++ b/tests/test-subrepo-git.t
74 @@ -36,7 +36,23 @@ add subrepo clone
75 $ echo 's = [git]../gitroot' > .hgsub
76 $ git clone -q ../gitroot s
77 $ hg add .hgsub
78 +
79 +git subrepo is disabled by default
80 +
81 $ hg commit -m 'new git subrepo'
82 + abort: subrepo type git not allowed
83 + (see 'hg help config.subrepos' for details)
84 + [255]
85 +
86 +so enable it
87 +
88 + $ cat >> $HGRCPATH <<EOF
89 + > [subrepos]
90 + > allowed = hg, git
91 + > EOF
92 +
93 + $ hg commit -m 'new git subrepo'
94 +
95 $ hg debugsub
96 path s
97 source ../gitroot
98 --- a/tests/test-subrepo-svn.t
99 +++ b/tests/test-subrepo-svn.t
100 @@ -57,6 +57,21 @@ add first svn sub with leading whitespac
101 $ mkdir subdir
102 $ svn co --quiet "$SVNREPOURL"/src subdir/s
103 $ hg add .hgsub
104 +
105 +svn subrepo is disabled by default
106 +
107 + $ hg ci -m1
108 + abort: subrepo type svn not allowed
109 + (see 'hg help config.subrepos' for details)
110 + [255]
111 +
112 +so enable it
113 +
114 + $ cat >> $HGRCPATH <<EOF
115 + > [subrepos]
116 + > allowed = hg, svn
117 + > EOF
118 +
119 $ hg ci -m1
120
121 make sure we avoid empty commits (issue2445)

  ViewVC Help
Powered by ViewVC 1.1.30