Why is `~/.hgrc` a remote security hole when checked in?
Wujek Srujek
wujek.srujek at gmail.com
Tue Oct 15 06:56:47 UTC 2013
Warning: the example can get pretty dangerous so don't fiddle with it too
much if you don't know what you are doing!
Consider this: I check in a .hgrc that defines an alias like:
[alias]
commit = !echo rm -rf $HOME
and then you check a working copy out (and mercurial uses this file), do
some work and are ready to comit, and invoke 'hg commit'. What do you think
would happen? In this case, nothing interesting, but try to delete the
'echo' word... Or better don't.
In other words - one could potentially inject arbitrary code into your
mercurial installation.
wujek
On Tue, Oct 15, 2013 at 7:42 AM, Dirk Heinrichs <dhs at recommind.com> wrote:
> Am 14.10.2013 23:45, schrieb Sam Steingold:
>
> > I was told on http://bz.selenic.com/show_bug.cgi?id=3147
> > that `~/.hgrc` is a remote security hole when checked in.
>
> Being a security hole or not, it's considered bad habit to mess with
> users config files. If you want to provide a default configuration for
> everyone, /etc is the place to put it in.
>
> Bye...
>
> Dirk
> --
>
> *Dirk Heinrichs*, Senior Systems Engineer, Infrastructure
> *Recommind GmbH*, Von-Liebig-Straße 1, 53359 Rheinbach
> *Tel*: +49 2226 1596666 1149
> *Email*: dhs at recommind.com <mailto:dhs at recommind.com>
> *Skype*: dirk.heinrichs.recommind
> www.recommind.com <http://www.recommind.com>
>
>
> http://www.recommind.com
> _______________________________________________
> Mercurial mailing list
> Mercurial at selenic.com
> http://selenic.com/mailman/listinfo/mercurial
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20131015/23674464/attachment-0002.html>
More information about the Mercurial
mailing list