Questions regarding deny push & repo creation for customers

Augie Fackler raf at durin42.com
Wed Feb 11 14:18:26 UTC 2015


On Feb 10, 2015, at 7:08 PM, Mcadams, Philip W <philip.w.mcadams at intel.com> wrote:

> Matt,
> 
> Internally our IT team has done a scan of Mercurial in CheckMarx and 5 vulnerabilities were identified:
> 
> Privacy Violation
> Path Traversal
> Insecure Randomness
> Client Cross Frame Scripting Attack
> Command Injection
> 
> The files where the issues were found were:
> Test-hgweb-auth.py

This is an automated test, not used in deployment.

> Convcmd.py

This is used by the convert extension. Most users won't ever touch it.

> Synthrepo.py

This is used to build synthetic repositories for testing, not used in production.

> Run-tests.py

This is our test runner.

> Lsprof.py

This is used by our --profile command line flag. If you're not running the profiler, it shouldn't matter.

> 
> Just wanted to share this info.  I understand you guys are open source and wanted to keep you in the loop.

Can you share more details than just "some vulnerabilities of type X" were found in some random files? Preferably by filing well-written bug reports at http://bz.selenic.com/?

Thanks!

> 
> Thank you.
> 
> Philip McAdams
> Software Configuration Management Engineer
> NSG ISE Software Configuration Management & Network/Server Engineering
> Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7
> 
> 
> 
> 
> -----Original Message-----
> From: Matt Mackall [mailto:mpm at selenic.com] 
> Sent: Friday, January 09, 2015 1:30 PM
> To: Mcadams, Philip W
> Cc: mercurial at selenic.com
> Subject: Re: Questions regarding deny push & repo creation for customers
> 
> On Fri, 2015-01-09 at 21:14 +0000, Mcadams, Philip W wrote:
>> In addition to Kallithea I'd also found: https://hglabhq.com/ that 
>> might give some more admin features but then we'd be stuck on Windows.
> 
> You'll probably also encounter pain adopting future features, as they've reimplemented a bunch of Mercurial's core in C#. 
> 
> --
> Mathematics is the supreme nostalgia of our time.
> 
> 
> _______________________________________________
> Mercurial mailing list
> Mercurial at selenic.com
> http://selenic.com/mailman/listinfo/mercurial

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20150211/3dab3158/attachment.asc>


More information about the Mercurial mailing list