--- a/mercurial/subrepo.py Wed Mar 16 17:30:26 2016 -0700
+++ b/mercurial/subrepo.py Sun Mar 20 21:52:21 2016 -0700
@@ -1383,6 +1383,11 @@
are not supported and very probably fail.
"""
self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
+ if env is None:
+ env = os.environ.copy()
+ # fix for Git CVE-2015-7545
+ if 'GIT_ALLOW_PROTOCOL' not in env:
+ env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
# unless ui.quiet is set, print git's stderr,
# which is mostly progress and useful info
errpipe = None
--- a/tests/test-subrepo-git.t Wed Mar 16 17:30:26 2016 -0700
+++ b/tests/test-subrepo-git.t Sun Mar 20 21:52:21 2016 -0700
@@ -1132,4 +1132,36 @@
? s/foobar.orig
? s/snake.python.orig
+test for Git CVE-2016-3068
+ $ hg init malicious-subrepository
+ $ cd malicious-subrepository
+ $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub
+ $ git init s
+ Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/
+ $ cd s
+ $ git commit --allow-empty -m 'empty'
+ [master (root-commit) 153f934] empty
$ cd ..
+ $ hg add .hgsub
+ $ hg commit -m "add subrepo"
+ $ cd ..
+ $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
+ Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...
+ fatal: transport 'ext' not allowed
+ updating to branch default
+ cloning subrepo s from ext::sh -c echo% pwned% >&2
+ abort: git clone error 128 in s (in subrepo s)
+ [255]
+
+whitelisting of ext should be respected (that's the git submodule behaviour)
+ $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed
+ Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...
+ pwned
+ fatal: Could not read from remote repository.
+
+ Please make sure you have the correct access rights
+ and the repository exists.
+ updating to branch default
+ cloning subrepo s from ext::sh -c echo% pwned% >&2
+ abort: git clone error 128 in s (in subrepo s)
+ [255]