Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 2 (+10) |
Deny invalid path
Review Request #2422 — Created April 4, 2023 and submitted
Information | |
---|---|
aklitzing@gmail.com | |
grim/hgkeeper | |
default | |
|
|
2424 | |
Reviewers | |
grim |
If an authenticated user calls
hg init hg.host.com/dummy/../../../etc
it will create the repository in another root directory if the process of
hgkeeper has permissions for this.
This could be an attack to the server.Also hgkeeper admin repository can be overriden like this.
hg init ssh://hg.host.com/dummy/../hgkeeper/keys
Summary | Author | |
---|---|---|
Andre Klitzing |
Description | From | Last Updated |
---|---|---|
mh, that is a bad fix... let's retry... |
|
|
we probably want to use filepath.Clean here on repoName at a minimum. |
|
|
not really a fan of a security related function being duplicated. I know this is because there's no good place … |
|
Description: |
|
---|
Summary: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Commits: |
|
||||||||||||
Diff: |
Revision 3 (+38 -8) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 4 (+38 -16) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 5 (+38 -8) |
-
-
ssh/commands/commands.go (Diff revision 5) we probably want to use
filepath.Clean
here onrepoName
at a minimum.
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 6 (+40 -8) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 7 (+38 -8) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 8 (+70 -12) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 9 (+70 -12) |
-
-
ssh/commands/commands.go (Diff revision 9) not really a fan of a security related function being duplicated. I know this is because there's no good place to put it right now. Maybe a normalize package?
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Depends On: |
|
||||||||||||
Diff: |
Revision 10 (+40 -10) |
Commits: |
|
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 11 (+46 -10) |