[Python-apps-commits] r12208 - in packages/mercurial/branches/jessie-backports/debian/patches (4 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Sat Aug 8 09:12:00 UTC 2015
Date: Saturday, August 8, 2015 @ 09:11:59
Author: vicho
Revision: 12208
remove stale patches that were present in jessie but never made it to sid
Deleted:
packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
Deleted: packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
===================================================================
--- packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2015-08-07 23:17:09 UTC (rev 12207)
+++ packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2015-08-08 09:11:59 UTC (rev 12208)
@@ -1,44 +0,0 @@
-Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
-Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
- According to Apple Technote 1150 (unavailable from Apple as far as I
- can tell, but archived in several places online), HFS+ ignores sixteen
- specific unicode runes when doing path normalization. We need to
- handle those cases, so this function lets us efficiently strip the
- offending characters from a UTF-8 encoded string (which is the only
- way it seems to matter on OS X.)
- .
- This is a fix for CVE-2014-9390
-Applied-Upstream: 3.2.3
-
-diff --git a/mercurial/encoding.py b/mercurial/encoding.py
---- a/mercurial/encoding.py
-+++ b/mercurial/encoding.py
-@@ -8,6 +8,28 @@
- import error
- import unicodedata, locale, os
-
-+# These unicode characters are ignored by HFS+ (Apple Technote 1150,
-+# "Unicode Subtleties"), so we need to ignore them in some places for
-+# sanity.
-+_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
-+ "200c 200d 200e 200f 202a 202b 202c 202d 202e "
-+ "206a 206b 206c 206d 206e 206f feff".split()]
-+# verify the next function will work
-+assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
-+
-+def hfsignoreclean(s):
-+ """Remove codepoints ignored by HFS+ from s.
-+
-+ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
-+ '.hg'
-+ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
-+ '.hg'
-+ """
-+ if "\xe2" in s or "\xef" in s:
-+ for c in _ignore:
-+ s = s.replace(c, '')
-+ return s
-+
- def _getpreferredencoding():
- '''
- On darwin, getpreferredencoding ignores the locale environment and
Deleted: packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
===================================================================
--- packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2015-08-07 23:17:09 UTC (rev 12207)
+++ packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2015-08-08 09:11:59 UTC (rev 12208)
@@ -1,63 +0,0 @@
-Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
-Description: pathauditor: check for Windows shortname aliases
- This is a fix for CVE-2014-9390
-Applied-Upstream: 3.2.3
-
---- a/mercurial/pathutil.py
-+++ b/mercurial/pathutil.py
-@@ -46,6 +46,13 @@ class pathauditor(object):
- or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
- or os.pardir in parts):
- raise util.Abort(_("path contains illegal component: %s") % path)
-+ # Windows shortname aliases
-+ for p in parts:
-+ if "~" in p:
-+ first, last = p.split("~", 1)
-+ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
-+ raise util.Abort(_("path contains illegal component: %s")
-+ % path)
- if '.hg' in _lowerclean(path):
- lparts = [_lowerclean(p.lower()) for p in parts]
- for p in '.hg', '.hg.':
---- a/tests/test-commit.t
-+++ b/tests/test-commit.t
-@@ -435,4 +435,38 @@ verify pathauditor blocks evil filepaths
- abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
- [255]
-
-- $ cd ..
-+ $ hg rollback -f
-+ repository tip rolled back to revision 1 (undo commit)
-+ $ cat > evil-commit.py <<EOF
-+ > from mercurial import ui, hg, context, node
-+ > notrc = "HG~1/hgrc"
-+ > u = ui.ui()
-+ > r = hg.repository(u, '.')
-+ > def filectxfn(repo, memctx, path):
-+ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
-+ > c = context.memctx(r, [r['tip'].node(), node.nullid],
-+ > 'evil', [notrc], filectxfn, 0)
-+ > r.commitctx(c)
-+ > EOF
-+ $ $PYTHON evil-commit.py
-+ $ hg co --clean tip
-+ abort: path contains illegal component: HG~1/hgrc
-+ [255]
-+
-+ $ hg rollback -f
-+ repository tip rolled back to revision 1 (undo commit)
-+ $ cat > evil-commit.py <<EOF
-+ > from mercurial import ui, hg, context, node
-+ > notrc = "HG8B6C~2/hgrc"
-+ > u = ui.ui()
-+ > r = hg.repository(u, '.')
-+ > def filectxfn(repo, memctx, path):
-+ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
-+ > c = context.memctx(r, [r['tip'].node(), node.nullid],
-+ > 'evil', [notrc], filectxfn, 0)
-+ > r.commitctx(c)
-+ > EOF
-+ $ $PYTHON evil-commit.py
-+ $ hg co --clean tip
-+ abort: path contains illegal component: HG8B6C~2/hgrc
-+ [255]
Deleted: packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
===================================================================
--- packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2015-08-07 23:17:09 UTC (rev 12207)
+++ packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2015-08-08 09:11:59 UTC (rev 12208)
@@ -1,59 +0,0 @@
-Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
-Description: pathauditor: check for codepoints ignored on OS X
- This is a fix for CVE-2014-9390
-Applied-Upstream: 3.2.3
-
---- a/mercurial/pathutil.py
-+++ b/mercurial/pathutil.py
-@@ -1,8 +1,12 @@
- import os, errno, stat
-
-+import encoding
- import util
- from i18n import _
-
-+def _lowerclean(s):
-+ return encoding.hfsignoreclean(s.lower())
-+
- class pathauditor(object):
- '''ensure that a filesystem path contains no banned components.
- the following properties of a path are checked:
-@@ -39,11 +43,11 @@ class pathauditor(object):
- raise util.Abort(_("path ends in directory separator: %s") % path)
- parts = util.splitpath(path)
- if (os.path.splitdrive(path)[0]
-- or parts[0].lower() in ('.hg', '.hg.', '')
-+ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
- or os.pardir in parts):
- raise util.Abort(_("path contains illegal component: %s") % path)
-- if '.hg' in path.lower():
-- lparts = [p.lower() for p in parts]
-+ if '.hg' in _lowerclean(path):
-+ lparts = [_lowerclean(p.lower()) for p in parts]
- for p in '.hg', '.hg.':
- if p in lparts[1:]:
- pos = lparts.index(p)
---- a/tests/test-commit.t
-+++ b/tests/test-commit.t
-@@ -418,4 +418,21 @@ commit copy
- 0 0 6 ..... 0 26d3ca0dfd18 000000000000 000000000000 (re)
- 1 6 7 ..... 1 d267bddd54f7 26d3ca0dfd18 000000000000 (re)
-
-+verify pathauditor blocks evil filepaths
-+ $ cat > evil-commit.py <<EOF
-+ > from mercurial import ui, hg, context, node
-+ > notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
-+ > u = ui.ui()
-+ > r = hg.repository(u, '.')
-+ > def filectxfn(repo, memctx, path):
-+ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
-+ > c = context.memctx(r, [r['tip'].node(), node.nullid],
-+ > 'evil', [notrc], filectxfn, 0)
-+ > r.commitctx(c)
-+ > EOF
-+ $ $PYTHON evil-commit.py
-+ $ hg co --clean tip
-+ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
-+ [255]
-+
- $ cd ..
Deleted: packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-08-07 23:17:09 UTC (rev 12207)
+++ packages/mercurial/branches/jessie-backports/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-08-08 09:11:59 UTC (rev 12208)
@@ -1,31 +0,0 @@
-Origin: http://selenic.com/hg/rev/e3f30068d2eb
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
-Description: sshpeer: more thorough shell quoting
- This fixes CVE-2014-9462
-Applied-Upstream: 3.2.4
-
-diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
---- a/mercurial/sshpeer.py
-+++ b/mercurial/sshpeer.py
-@@ -20,6 +20,8 @@ class remotelock(object):
- self.release()
-
- def _serverquote(s):
-+ if not s:
-+ return s
- '''quote a string for the remote shell ... which we assume is sh'''
- if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
- return s
-@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
- sshcmd = self.ui.config("ui", "ssh", "ssh")
- remotecmd = self.ui.config("ui", "remotecmd", "hg")
-
-- args = util.sshargs(sshcmd, self.host, self.user, self.port)
-+ args = util.sshargs(sshcmd,
-+ _serverquote(self.host),
-+ _serverquote(self.user),
-+ _serverquote(self.port))
-
- if create:
- cmd = '%s %s %s' % (sshcmd, args,
-
More information about the Python-apps-commits
mailing list