[PATCH V2] patchbomb: protect email addresses from shell
Yuya Nishihara
yuya at tcha.org
Wed Oct 2 23:09:20 UTC 2019
On Wed, 02 Oct 2019 21:35:52 +0200, Floris Bruynooghe wrote:
> On Tue 01 Oct 2019 at 08:15 +0900, Yuya Nishihara wrote:
> > On Mon, 30 Sep 2019 21:22:17 +0200, Floris Bruynooghe wrote:
> >> # HG changeset patch
> >> # User Floris Bruynooghe <flub at google.com>
> >> # Date 1569794518 -7200
> >> # Mon Sep 30 00:01:58 2019 +0200
> >> # Node ID 7c69ab0787ac4931a5d4568704eb88e86d9c6b83
> >> # Parent bbf77341a956b3ba40ae87538fcd200b34c5a3e5
> >> patchbomb: protect email addresses from shell
> >
> >> diff --git a/mercurial/mail.py b/mercurial/mail.py
> >> --- a/mercurial/mail.py
> >> +++ b/mercurial/mail.py
> >> @@ -152,7 +152,8 @@ def _smtp(ui):
> >> def _sendmail(ui, sender, recipients, msg):
> >> '''send mail using sendmail.'''
> >> program = ui.config('email', 'method')
> >> - stremail = lambda x: stringutil.email(encoding.strtolocal(x))
> >> + stremail = lambda x: \
> >> + procutil.quote(stringutil.email(encoding.strtolocal(x)))
> >
> > procutil.shellquote() ?
>
> Sure, I should have spotted that...
>
> > I don't think shlex supports byte strings on Python 3, and maybe it wouldn't
> > respect the cmd.exe rule on Windows.
>
> Hmm, I don't think I follow everything correctly. encoding.strtolocal()
> returns bytes?
Yes.
> But stringutils.email() uses .find('>'), that is on py3
> this is b'foo'.find('<') and thus mixes unicode and bytes.
We have code transformer which basically rewrites every '' to b''.
https://www.mercurial-scm.org/wiki/Python3#Source_Rewriting_Module_Importer
Anyway, this patch has already been queued, and I sent a follow-up patch mostly
identical to your V3, thanks.
More information about the Mercurial-devel
mailing list