Ref T12961. In Mercurial, it's possible to have "subrepos" which may use a different protocol than the main repository.

By putting an SSH repository inside an HTTP repository, an attacker can theoretically get us to execute hg without overriding ui.ssh, then execute code via the SSH hostname attack.

As an immediate mitigation to this attack, specify ui.ssh unconditionally. Normally, this will have no effect (it will just be ignored). In the specific case of an SSH repo inside an HTTP repo, it will defuse the ssh protocol.

For good measure and consistency, do the same for Subversion and Git. However, we don't normally maintain working copies for either Subversion or Git so it's unlikely that similar attacks exist there.

• Put an SSH subrepo with an attack URI inside an HTTP outer repo in Mercurial.
• Ran hg up with and without ui.ssh specified.
• Got dangerous badness without ui.ssh and safe ssh subprocesses with ui.ssh.

I'm not yet able to confirm that hg pull -u -- <uri> can actually trigger this, but this can't hurt and our SSH wrapper is safer than the native behavior for all Subversion, Git and Mercurial versions released prior to today.