Differential D18306 Diff 44026 src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
Show First 20 Lines • Show All 479 Lines • ▼ Show 20 Lines | private function executeMercurialCreate() { | ||||
} else { | } else { | ||||
$remote = $repository->getRemoteURIEnvelope(); | $remote = $repository->getRemoteURIEnvelope(); | ||||
// NOTE: Mercurial prior to 3.2.4 has an severe command injection | // NOTE: Mercurial prior to 3.2.4 has an severe command injection | ||||
// vulnerability. See: <http://bit.ly/19B58E9> | // vulnerability. See: <http://bit.ly/19B58E9> | ||||
// On vulnerable versions of Mercurial, we refuse to clone remotes which | // On vulnerable versions of Mercurial, we refuse to clone remotes which | ||||
// contain characters which may be interpreted by the shell. | // contain characters which may be interpreted by the shell. | ||||
$hg_version = PhabricatorRepositoryVersion::getMercurialVersion(); | $hg_binary = PhutilBinaryAnalyzer::getForBinary('hg'); | ||||
$is_vulnerable = version_compare($hg_version, '3.2.4', '<'); | $is_vulnerable = $hg_binary->isMercurialVulnerableToInjection(); | ||||
if ($is_vulnerable) { | if ($is_vulnerable) { | ||||
$cleartext = $remote->openEnvelope(); | $cleartext = $remote->openEnvelope(); | ||||
// The use of "%R" here is an attempt to limit collateral damage | // The use of "%R" here is an attempt to limit collateral damage | ||||
// for normal URIs because it isn't clear how long this vulnerability | // for normal URIs because it isn't clear how long this vulnerability | ||||
// has been around for. | // has been around for. | ||||
$escaped = csprintf('%R', $cleartext); | $escaped = csprintf('%R', $cleartext); | ||||
if ((string)$escaped !== (string)$cleartext) { | if ((string)$escaped !== (string)$cleartext) { | ||||
throw new Exception( | throw new Exception( | ||||
pht( | pht( | ||||
'You have an old version of Mercurial (%s) which has a severe '. | 'You have an old version of Mercurial (%s) which has a severe '. | ||||
'command injection security vulnerability. The remote URI for '. | 'command injection security vulnerability. The remote URI for '. | ||||
'this repository (%s) is potentially unsafe. Upgrade Mercurial '. | 'this repository (%s) is potentially unsafe. Upgrade Mercurial '. | ||||
'to at least 3.2.4 to clone it.', | 'to at least 3.2.4 to clone it.', | ||||
$hg_version, | $hg_binary->getBinaryVersion(), | ||||
$repository->getMonogram())); | $repository->getMonogram())); | ||||
} | } | ||||
} | } | ||||
try { | try { | ||||
$repository->execxRemoteCommand( | $repository->execxRemoteCommand( | ||||
'clone --noupdate -- %P %s', | 'clone --noupdate -- %P %s', | ||||
$remote, | $remote, | ||||
▲ Show 20 Lines • Show All 153 Lines • Show Last 20 Lines |