Change Details

Largely a placeholder for the moment. See: https://hackerone.com/reports/288704

Via HackerOne. See also <https://hackerone.com/reports/288704>. Mercurial parses the `--config` and `--debugger` flags in an unusual, nonstandard way: it processes them before processing other flags and arguments, including flags which take arguments and the `--` "end of flags" marker. For example, this command: ``` $ hg log -- --debugger ``` ...invokes the debugger. Likewise, this: ``` $ hg log --branch --debugger ``` ...means "invoke the debugger", not "log the branch named `--debugger`". Note that `--debugger` is a valid Mercurial branch name, but to create it you must do this: ``` $ hg branch --debugger --debugger ``` Then enter `c` to convince the debugger to continue execution. The `--debugger` flag is dangerous (remote code execution) if users control `stdin`. See CVE-2017-9462 for an earlier attack using this flag. See also D18611 and followup in D18616. The `--config` flag is also dangerous and can also enable remote code execution with, e.g., `--config=hooks.pre-log=whoami` in a `log` command. Broadly, the behavior of Mercurial is this: (WARNING) The argument `--debugger`, and any argument beginning with `--config`, are unsafe to pass to Mercurial as part of //any// command, in //any// position, even after a `--` "end of flags" marker. Callers must filter arguments and reject any such argument before passing it to `hg`. Generally, the `hg` binary can not interact normally with files named `--debugger`, branches named `--debugger`, bookmarks named `--debugger`, search for the pattern `--debugger` using `grep`, etc., even though this is a valid file name, a valid branch name, a valid bookmark name, a valid pattern, and so on. Likewise for `--config`. See also CVE-2017-1000116, although this is not as closely related as the `--debugger` vulnerability.

Largely a placeholder for the momentVia HackerOne. See:See also <https://hackerone.com/reports/288704>. https://hackerone.com/reports/288704Mercurial parses the `--config` and `--debugger` flags in an unusual, nonstandard way: it processes them before processing other flags and arguments, including flags which take arguments and the `--` "end of flags" marker. For example, this command: ``` $ hg log -- --debugger ``` ...invokes the debugger. Likewise, this: ``` $ hg log --branch --debugger ``` ...means "invoke the debugger", not "log the branch named `--debugger`". Note that `--debugger` is a valid Mercurial branch name, but to create it you must do this: ``` $ hg branch --debugger --debugger ``` Then enter `c` to convince the debugger to continue execution. The `--debugger` flag is dangerous (remote code execution) if users control `stdin`. See CVE-2017-9462 for an earlier attack using this flag. See also D18611 and followup in D18616. The `--config` flag is also dangerous and can also enable remote code execution with, e.g., `--config=hooks.pre-log=whoami` in a `log` command. Broadly, the behavior of Mercurial is this: (WARNING) The argument `--debugger`, and any argument beginning with `--config`, are unsafe to pass to Mercurial as part of //any// command, in //any// position, even after a `--` "end of flags" marker. Callers must filter arguments and reject any such argument before passing it to `hg`. Generally, the `hg` binary can not interact normally with files named `--debugger`, branches named `--debugger`, bookmarks named `--debugger`, search for the pattern `--debugger` using `grep`, etc., even though this is a valid file name, a valid branch name, a valid bookmark name, a valid pattern, and so on. Likewise for `--config`. See also CVE-2017-1000116, although this is not as closely related as the `--debugger` vulnerability.