# HG changeset patch # User Floris Bruynooghe <f...@google.com> # Date 1569794518 -7200 # Mon Sep 30 00:01:58 2019 +0200 # Node ID 01ba660965efded7d336ecf06270117bf98c6669 # Parent bbf77341a956b3ba40ae87538fcd200b34c5a3e5 patchbomb: protect email addresses from shell
When patchbomb sends email via a sendmail-like program it invokes this using procutil.popen which passes the string to a shell to be parsed. To protect any special characters in the email addresses on the command line from being interpretered by the shell they must be quoted. diff --git a/mercurial/mail.py b/mercurial/mail.py --- a/mercurial/mail.py +++ b/mercurial/mail.py @@ -152,7 +152,7 @@ def _smtp(ui): def _sendmail(ui, sender, recipients, msg): '''send mail using sendmail.''' program = ui.config('email', 'method') - stremail = lambda x: stringutil.email(encoding.strtolocal(x)) + stremail = lambda x: '\'' + stringutil.email(encoding.strtolocal(x)) + '\'' cmdline = '%s -f %s %s' % (program, stremail(sender), ' '.join(map(stremail, recipients))) ui.note(_('sending mail: %s\n') % cmdline) diff --git a/tests/test-patchbomb.t b/tests/test-patchbomb.t --- a/tests/test-patchbomb.t +++ b/tests/test-patchbomb.t @@ -3033,7 +3033,7 @@ single rev +d sending [PATCH] test ... - sending mail: $TESTTMP/t2/pretendmail.sh -f test foo + sending mail: $TESTTMP/t2/pretendmail.sh -f 'test' 'foo' Test pull url header ================================= _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel