[Bug 3601] New: hg serve uses String.replace without escaping $ in replacement text

[bugzilla-daemon at bz.selenic.com]

http://bz.selenic.com/show_bug.cgi?id=3601

          Priority: normal
            Bug ID: 3601
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: hg serve uses String.replace without escaping $ in
                    replacement text
          Severity: bug
    Classification: Unclassified
                OS: All
          Reporter: j.prevost at gmail.com
          Hardware: All
            Status: UNCONFIRMED
           Version: 2.3
         Component: Mercurial
           Product: Mercurial

The JS String.replace operation takes a regular expression and a replacement
string (as described in
https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/String/replace).
 If "$" appears in the replacement string, it is treated as a special character
to reference some part of the original string based on what was matched.

When "$" appears in text to be substituted (the log message, for example), it
is not being escaped as "$$", and an incorrect substitution is made.  As far as
I can tell this should not be able to cause any security problems, but it does
surprise the user and make them wonder if this software is safe.

-- 
You are receiving this mail because:
You are on the CC list for the bug.