> On Aug 11, 2017, at 05:10, Dr Rainer Woitok <rainer.woi...@gmail.com> wrote:
> 
> Augie,
> 
> On Thursday, 2017-08-10 14:11:52 -0400, you wrote:
> 
>> ...
>>> CVE-2017-1000115:
>>> 
>>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be 
>>> abused to write to files outside the repository.
> 
> What precisely does that mean?  Is it no longer possible to have a vers-
> ion controlled  symbolic link somewhere  in the working directory  which
> points to some place  outside the Mercurial repository?   Some of my re-
> positories heavily depend on this :-(
> 
> I searched the web for "CVE-2017-1000115",  but found neither a detailed
> description of the problem nor of the solution.
> 
> Anybody caring to shed some light on this?

You can still have a symlink that points outside the repo, that's fine. We just 
now adequately sanitize things and avoid accidental writes to outside the 
repository tree.

> Sincerely,
>  Rainer

_______________________________________________
Mercurial mailing list
Mercurial@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial

Reply via email to