Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
Ref T12961. See that task for discussion of the major attack we're responding to here.
- Reject hosts beginning with "-". These are not legitimate.
- Reject hosts beginning with ".". These are also not legitimate.
- Tighten $ to \z. $ can match either "newline, end of string" or "end of string". \z matches ONLY "end of string". We don't want to match a newline, only "end of string" strictly.
- We already that hosts otherwise contain only "reasonable" characters (letters, numbers, hyphens, and periods).
- Added unit tests, ran unit tests.
- Tried to set a repository URI to ssh://-oxyz/path with these changes, which worked previously; it no longer works.
Reviewed By: chad
Maniphest Tasks: T12961
Differential Revision: https://secure.phabricator.com/D18388