HGKeeper

Deny invalid path

12 months ago, aklitzing

5a19892df841

Deny invalid path

If an authenticated user calls `hg init hg.host.com/dummy/../../../etc`
it will create the repository in another root directory if the process of
hgkeeper has permissions for this.
This could be an attack to the server.

Also hgkeeper admin repository can be overriden like this.
`hg init ssh://hg.host.com/dummy/../hgkeeper/keys`

Reviewed at https://reviews.imfreedom.org/r/2422/

1.1.0: (2023-01-04)

* Add a warning message when a duplicate key is loaded. No behavior changes

were made so that users depending on the broken behavior can continue

working. (HGKEEPER-22)

* Removed the mercurial 6.1 pin from the container image.

* Normalize paths before passing them to the authorization checker. This bug

allowed attackers to read repositories they shouldn't have been able to by

adding a / on to the end of the path. The hgkeeper repo in the default

configuration is susceptible to this attack.

1.0.0: (2022-06-21)

* Official first release!

grim/hgkeeper