Questions regarding deny push & repo creation for customers

Mcadams, Philip W philip.w.mcadams at intel.com
Wed Feb 11 00:08:23 UTC 2015


Matt,

Internally our IT team has done a scan of Mercurial in CheckMarx and 5 vulnerabilities were identified:

Privacy Violation
Path Traversal
Insecure Randomness
Client Cross Frame Scripting Attack
Command Injection

The files where the issues were found were:
Test-hgweb-auth.py
Convcmd.py
Synthrepo.py
Run-tests.py
Lsprof.py

Just wanted to share this info.  I understand you guys are open source and wanted to keep you in the loop.

Thank you.

Philip McAdams
Software Configuration Management Engineer
NSG ISE Software Configuration Management & Network/Server Engineering
Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7




-----Original Message-----
From: Matt Mackall [mailto:mpm at selenic.com] 
Sent: Friday, January 09, 2015 1:30 PM
To: Mcadams, Philip W
Cc: mercurial at selenic.com
Subject: Re: Questions regarding deny push & repo creation for customers

On Fri, 2015-01-09 at 21:14 +0000, Mcadams, Philip W wrote:
>  In addition to Kallithea I'd also found: https://hglabhq.com/ that 
> might give some more admin features but then we'd be stuck on Windows.

You'll probably also encounter pain adopting future features, as they've reimplemented a bunch of Mercurial's core in C#. 

--
Mathematics is the supreme nostalgia of our time.




More information about the Mercurial mailing list