mirror of
https://github.com/facebook/sapling.git
synced 2024-10-05 14:28:17 +03:00
00e0310f1a
Summary:
In hgmain, set the environment variable NoDefaultCurrentDirectoryInExePath to disable the default Windows behavior of including the current working directory in PATH.
This avoids security issues where sl could execute a binary from the CWD (i.e. untrusted repo's working copy) instead of the proper system binary. For example, if the repo contains a binary named "watchman", code such as `util.popen4("watchman debug-status")` would prefer the repo's "watchman" to the system watchman.
Setting NoDefaultCurrentDirectoryInExePath assumes there is no legitimate use of this behavior when running other programs from within sl. I wouldn't be surprised if _something_ is depending on this behavior, but it doesn't seem like anything _should_ depend on it.
I like this approach since it should prevent all occurrences of this issue (i.e. including Python, Rust, ISL, etc). Another approach that isn't totally mutually exclusive with this approach is to add runtime checks to make sure we aren't accidentally running programs from the working copy (but still allow the CurrentDirectoryInExePath behavior). That seems harder to implement and verify/maintain.
Reviewed By: quark-zju
Differential Revision: D42154134
fbshipit-source-id: f625bb51e470c320ac96f803b55cb2c4ab4e44ec
22 lines
368 B
Perl
22 lines
368 B
Perl
#chg-compatible
|
|
|
|
$ configure modernclient
|
|
|
|
$ newclientrepo
|
|
#if windows
|
|
$ cat > watchman.bat <<EOF
|
|
> type nul > oops
|
|
> EOF
|
|
#else
|
|
$ cat > watchman <<EOF
|
|
> touch oops
|
|
> EOF
|
|
$ chmod +x watchman
|
|
#endif
|
|
$ hg commit -Aqm foo
|
|
$ touch bar
|
|
$ hg commit -Aqm bar
|
|
This is the code under test - don't run the "watchman" in CWD.
|
|
$ hg up -q .^
|
|
$ hg status
|