NOTE: This task is currently incomplete, more details will be available shortly.
Via HackerOne. See also <https://hackerone.com/reports/288704>.
Mercurial parses the `--config` and `--debugger` flags in an unusual, nonstandard way: it processes them before processing other flags and arguments, including flags which take arguments and the `--` "end of flags" marker. For example, this command:
$ hg log -- --debugger
...invokes the debugger. Likewise, this:
$ hg log --branch --debugger
...means "invoke the debugger", not "log the branch named `--debugger`".
Note that `--debugger` is a valid Mercurial branch name, but to create it you must do this:
$ hg branch --debugger --debugger
Then enter `c` to convince the debugger to continue execution.
The `--debugger` flag is dangerous (remote code execution) if users control `stdin`. See CVE-2017-9462 for an earlier attack using this flag. See also D18611 and followup in D18616.
The `--config` flag is also dangerous and can also enable remote code execution with, e.g., `--config=hooks.pre-log=whoami` in a `log` command.
Broadly, the behavior of Mercurial is this:
(WARNING) The argument `--debugger`, and any argument beginning with `--config`, are unsafe to pass to Mercurial as part of //any// command, in //any// position, even after a `--` "end of flags" marker. Callers must filter arguments and reject any such argument before passing it to `hg`. Generally, the `hg` binary can not interact normally with files named `--debugger`, branches named `--debugger`, bookmarks named `--debugger`, search for the pattern `--debugger` using `grep`, etc., even though this is a valid file name, a valid branch name, a valid bookmark name, a valid pattern, and so on. Likewise for `--config`.
See also CVE-2017-1000116, although this is not as closely related as the `--debugger` vulnerability.