Page MenuHomePhabricator
Differential D12170

Censor response bodies from Mercurial error messages
ClosedPublic
Actions

Authored by epriestley on Mar 26 2015, 4:50 PM.
Tags
None
Referenced Files
F15441028: D12170.id.diff
Wed, Mar 26, 4:06 PM
F15440686: D12170.id29244.diff
Wed, Mar 26, 2:06 PM
F15437024: D12170.diff
Tue, Mar 25, 5:05 PM
F15425784: D12170.id29244.diff
Sun, Mar 23, 6:03 AM
F15424835: D12170.id29253.diff
Sun, Mar 23, 12:25 AM
F15418925: D12170.id29253.diff
Fri, Mar 21, 2:27 AM
F15403151: D12170.id29244.diff
Tue, Mar 18, 2:00 AM
F15402018: D12170.id.diff
Mon, Mar 17, 8:09 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6755: Allow more granular configuration of `security.allow-outbound-http`
Commits
Restricted Diffusion Commit
rPa4bfed8415c7: Censor response bodies from Mercurial error messages
Summary

Ref T6755. In Git and Subversion, running git clone http://google.com/ or svn checkout http://google.com/ does not echo the response body.

In Mercurial, it does. Censor it from the output of hg pull and hg clone. This prevents an attacker from:

  • Creating a Mercurial remote repository with URI http://10.0.0.1/secrets/; and
  • reading the secrets out of the error message after the clone fails.
Test Plan

Set a Mercurial remote URI to a non-Mercurial repository, ran repository update, saw censored error message.

Diff Detail

Repository
rP Phabricator
Branch
dnsrebind3
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 4989
Build 5007: [Placeholder Plan] Wait for 30 Seconds

Revision Contents
Changeset List

PathSize
src/
applications/
repository/
engine/
42 lines

Diff 29244

View Options

src/applications/repository/engine/PhabricatorRepositoryPullEngine.php

Loading...
Phabricator · Built by Phacility