HomePhabricator
Diffusion Arcanist 637c6584c6ea

(experimental) Work around a Windows escaping issue and security conecern in…
637c6584c6ea
Actions

Tags
None
Referenced Files
F5962134: dog.jpg
Oct 27 2018, 2:27 PM
Subscribers
None

Description

(experimental) Work around a Windows escaping issue and security conecern in "hg cat --output ..."

Summary:
See PHI904. Ref T13210. Ref T13209. Currently, we have an hg cat construction which attempts to pass a literal %p to Mercurial. This fails because you can't pass % through %s outside of wilds.

It also uses %C to pass a list of file paths. This is broadly unsafe and can cause command execution if you modify a file named, e.g., ; rm -rf xyz or similar. I think it would be difficult to turn this into an attack but it's fairly bad. This dates from D5144 in 2013.

Test Plan: With this patch, created D19757 which has valid binary data (see F5962134).

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13210, T13209

Differential Revision: https://secure.phabricator.com/D19758

Details

Provenance
epriestleyAuthored on Oct 25 2018, 1:55 AM
epriestleyPushed on Oct 27 2018, 2:27 PM
Reviewer
amckinley
Differential Revision
D19758: Work around a Windows escaping issue and security conecern in "hg cat --output ..."
Parents
rARC9d59e9e5908e: Merge branch "master" into "experimental".
Branches
Unknown
Tags
Unknown
Tasks
T13209: How To Properly Escape Commands on Windows (A Dark Tragedy)
T13210: Plans: 2018 Week 41-44 Bonus Content
Build Status
Buildable 21061
Build 28617: Run Core Tests

Changes (1)

PathSize
src/
repository/
api/

rARC637c6584c6ea

View Options

src/repository/api/ArcanistMercurialAPI.php

Loading...
Phabricator · Built by Phacility