meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-30 04:09:38 +00:00
Code Issues Releases Wiki Activity
13,587 Commits 32 Branches 194 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Toshi MARUYAMA ca87bf766c mercurial: reject malicious command argument (#27516) 
We've got a security report from the Phabricator team, which basically says
--config and --debugger arguments can be injected anywhere to lead to an
arbitrary command execution.

https://secure.phabricator.com/rPa7921a4448093d00defa8bd18f35b8c8f8bf3314

This is a fundamental issue of the argument parsing rules in Mercurial, which
allows extensions to populate their parsing rules and such extensions can be
loaded by "--config extensions.<name>=". There's a chicken and egg problem.
We're working on hardening the parsing rules, but which won't come in by
default as it would be a behavior change.

This patch adds a verification to reject malicious command arguments as a
last ditch. The subsequent patches will fix the problem in more appropriate
way.

Contributed by Yuya Nishihara.

git-svn-id: http://svn.redmine.org/redmine/trunk@17060 e93f8b46-1217-0410-a6f0-8f06a7374b81
2017-12-07 11:38:23 +00:00
.github
add horizontal rule to GitHub pull request template
2017-01-27 11:56:51 +00:00
app
Disallow creating inverse relates issue relations (#27663).
2017-12-06 09:01:07 +00:00
bin
Moves changelog.rb to /bin.
2017-07-23 12:51:36 +00:00
config
Fix typo in configuration.yml.example (#27670).
2017-11-29 08:14:52 +00:00
db/migrate
fix db migrate broken by r16889 (#26548)
2017-07-27 04:05:40 +00:00
doc
Adds changes from 3.3.5.
2017-10-15 19:50:46 +00:00
extra
use versioned migrations for sample plugin in the same way of core r16807
2017-08-31 15:57:32 +00:00
files
trunk moved from /trunk/redmine to /trunk
2006-12-05 20:45:04 +00:00
lib
mercurial: reject malicious command argument (#27516)
2017-12-07 11:38:23 +00:00
log
add newline at end of log/delete.me (#24928)
2017-01-27 04:37:14 +00:00
plugins
Merged rails-3.2 branch.
2012-04-25 17:17:49 +00:00
public
Spanish/Panama translation update for jstoolbar-es-pa.js (#27649).
2017-11-27 15:15:34 +00:00
test
mercurial: reject malicious command argument (#27516)
2017-12-07 11:38:23 +00:00
tmp
add tmp/pdf directory (#12189)
2012-10-23 10:50:09 +00:00
.gitignore
Source: ignore .idea (#24523).
2017-01-15 16:31:30 +00:00
.hgignore
Source: ignore .idea (#24523).
2017-01-15 16:31:30 +00:00
appveyor.yml
show Windows code page on appveyor
2017-04-06 21:45:09 +00:00
config.ru
Merged rails-3.2 branch.
2012-04-25 17:17:49 +00:00
CONTRIBUTING.md
fix typo and use "GitHub" instead of "github" at CONTRIBUTING.md
2014-11-21 04:11:02 +00:00
Gemfile
Gemfile: pin mail gem version to prevent failure of MailHandlerTest#test_add_issue_with_localized_attributes
2017-11-05 19:31:53 +00:00
Rakefile
Merged rails-3.2 branch.
2012-04-25 17:17:49 +00:00
README.rdoc
Typo
2011-11-19 16:10:28 +00:00

README.rdoc 

= Redmine

Redmine is a flexible project management web application written using Ruby on Rails framework.

More details can be found in the doc directory or on the official website http://www.redmine.org
Description
No description provided
Readme 93 MiB
Languages
Ruby 78.7%
HTML 15.1%
JavaScript 3.7%
CSS 2.1%
Perl 0.3%
Other 0.1%