Page MenuHomePhabricator
Files F13988940

D12112.id29134.diff
No OneTemporary
Actions

D12112.id29134.diff
View Options

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -2392,6 +2392,7 @@
'PhabricatorRepositoryURINormalizerTestCase' => 'applications/repository/data/__tests__/PhabricatorRepositoryURINormalizerTestCase.php',
'PhabricatorRepositoryURITestCase' => 'applications/repository/storage/__tests__/PhabricatorRepositoryURITestCase.php',
'PhabricatorRepositoryVCSPassword' => 'applications/repository/storage/PhabricatorRepositoryVCSPassword.php',
+ 'PhabricatorRepositoryVersion' => 'applications/repository/constants/PhabricatorRepositoryVersion.php',
'PhabricatorRobotsController' => 'applications/system/controller/PhabricatorRobotsController.php',
'PhabricatorS3FileStorageEngine' => 'applications/files/engine/PhabricatorS3FileStorageEngine.php',
'PhabricatorSMS' => 'infrastructure/sms/storage/PhabricatorSMS.php',
@@ -5757,6 +5758,7 @@
'PhabricatorRepositoryURINormalizerTestCase' => 'PhabricatorTestCase',
'PhabricatorRepositoryURITestCase' => 'PhabricatorTestCase',
'PhabricatorRepositoryVCSPassword' => 'PhabricatorRepositoryDAO',
+ 'PhabricatorRepositoryVersion' => 'Phobject',
'PhabricatorRobotsController' => 'PhabricatorController',
'PhabricatorS3FileStorageEngine' => 'PhabricatorFileStorageEngine',
'PhabricatorSMS' => 'PhabricatorSMSDAO',
diff --git a/src/applications/config/check/PhabricatorBinariesSetupCheck.php b/src/applications/config/check/PhabricatorBinariesSetupCheck.php
--- a/src/applications/config/check/PhabricatorBinariesSetupCheck.php
+++ b/src/applications/config/check/PhabricatorBinariesSetupCheck.php
@@ -121,18 +121,7 @@
'2.2' => pht('This version of Mercurial has a significant memory '.
'leak, fixed in 2.2.1. Pushing fails with this '.
'version as well; see T3046#54922.'),);
- list($err, $stdout, $stderr) = exec_manual('hg --version --quiet');
-
- // NOTE: At least on OSX, recent versions of Mercurial report this
- // string in this format:
- //
- // Mercurial Distributed SCM (version 3.1.1+20140916)
-
- $matches = null;
- $pattern = '/^Mercurial Distributed SCM \(version ([\d.]+)/m';
- if (preg_match($pattern, $stdout, $matches)) {
- $version = $matches[1];
- }
+ $version = PhabricatorRepositoryVersion::getMercurialVersion();
break;
}
diff --git a/src/applications/repository/constants/PhabricatorRepositoryVersion.php b/src/applications/repository/constants/PhabricatorRepositoryVersion.php
new file mode 100644
--- /dev/null
+++ b/src/applications/repository/constants/PhabricatorRepositoryVersion.php
@@ -0,0 +1,22 @@
+<?php
+
+final class PhabricatorRepositoryVersion extends Phobject {
+
+ public static function getMercurialVersion() {
+ list($err, $stdout, $stderr) = exec_manual('hg --version --quiet');
+
+ // NOTE: At least on OSX, recent versions of Mercurial report this
+ // string in this format:
+ //
+ // Mercurial Distributed SCM (version 3.1.1+20140916)
+
+ $matches = null;
+ $pattern = '/^Mercurial Distributed SCM \(version ([\d.]+)/m';
+ if (preg_match($pattern, $stdout, $matches)) {
+ return $matches[1];
+ }
+
+ return null;
+ }
+
+}
diff --git a/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php b/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
--- a/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
+++ b/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
@@ -367,9 +367,27 @@
'init -- %s',
$path);
} else {
+ $remote = $repository->getRemoteURIEnvelope();
+
+ // NOTE: Mercurial prior to 3.2.4 has an severe command injection
+ // vulnerability. See: <http://bit.ly/19B58E9>
+
+ // On earlier versions of Mercurial, we intentionally double-escape
+ // the remote URI to work around this.
+ $hg_version = PhabricatorRepositoryVersion::getMercurialVersion();
+ $is_vulnerable = version_compare($hg_version, '3.2.4', '<');
+ if ($is_vulnerable) {
+ $remote = $remote->openEnvelope();
+ // The use of "%R" here is an attempt to limit collateral damage
+ // for normal URIs because it isn't clear how long this vulnerability
+ // has been around for.
+ $remote = csprintf('%R', $remote);
+ $remote = new PhutilOpaqueEnvelope((string)$remote);
+ }
+
$repository->execxRemoteCommand(
'clone --noupdate -- %P %s',
- $repository->getRemoteURIEnvelope(),
+ $remote,
$path);
}
}

File Metadata

Mime Type
text/plain
Expires
Tue, Oct 22, 4:51 PM (4 w, 3 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6742356
Default Alt Text
D12112.id29134.diff (4 KB)

Event Timeline

Phabricator · Built by Phacility