Differential D18306 Diff 44026 src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
| Show First 20 Lines • Show All 479 Lines • ▼ Show 20 Lines | private function executeMercurialCreate() { | ||||
| } else { | } else { | ||||
| $remote = $repository->getRemoteURIEnvelope(); | $remote = $repository->getRemoteURIEnvelope(); | ||||
| // NOTE: Mercurial prior to 3.2.4 has an severe command injection | // NOTE: Mercurial prior to 3.2.4 has an severe command injection | ||||
| // vulnerability. See: <http://bit.ly/19B58E9> | // vulnerability. See: <http://bit.ly/19B58E9> | ||||
| // On vulnerable versions of Mercurial, we refuse to clone remotes which | // On vulnerable versions of Mercurial, we refuse to clone remotes which | ||||
| // contain characters which may be interpreted by the shell. | // contain characters which may be interpreted by the shell. | ||||
| $hg_version = PhabricatorRepositoryVersion::getMercurialVersion(); | $hg_binary = PhutilBinaryAnalyzer::getForBinary('hg'); | ||||
| $is_vulnerable = version_compare($hg_version, '3.2.4', '<'); | $is_vulnerable = $hg_binary->isMercurialVulnerableToInjection(); | ||||
| if ($is_vulnerable) { | if ($is_vulnerable) { | ||||
| $cleartext = $remote->openEnvelope(); | $cleartext = $remote->openEnvelope(); | ||||
| // The use of "%R" here is an attempt to limit collateral damage | // The use of "%R" here is an attempt to limit collateral damage | ||||
| // for normal URIs because it isn't clear how long this vulnerability | // for normal URIs because it isn't clear how long this vulnerability | ||||
| // has been around for. | // has been around for. | ||||
| $escaped = csprintf('%R', $cleartext); | $escaped = csprintf('%R', $cleartext); | ||||
| if ((string)$escaped !== (string)$cleartext) { | if ((string)$escaped !== (string)$cleartext) { | ||||
| throw new Exception( | throw new Exception( | ||||
| pht( | pht( | ||||
| 'You have an old version of Mercurial (%s) which has a severe '. | 'You have an old version of Mercurial (%s) which has a severe '. | ||||
| 'command injection security vulnerability. The remote URI for '. | 'command injection security vulnerability. The remote URI for '. | ||||
| 'this repository (%s) is potentially unsafe. Upgrade Mercurial '. | 'this repository (%s) is potentially unsafe. Upgrade Mercurial '. | ||||
| 'to at least 3.2.4 to clone it.', | 'to at least 3.2.4 to clone it.', | ||||
| $hg_version, | $hg_binary->getBinaryVersion(), | ||||
| $repository->getMonogram())); | $repository->getMonogram())); | ||||
| } | } | ||||
| } | } | ||||
| try { | try { | ||||
| $repository->execxRemoteCommand( | $repository->execxRemoteCommand( | ||||
| 'clone --noupdate -- %P %s', | 'clone --noupdate -- %P %s', | ||||
| $remote, | $remote, | ||||
| ▲ Show 20 Lines • Show All 153 Lines • Show Last 20 Lines | |||||