Angel Ezquerra avatar Angel Ezquerra committed 9098e0b

Add "Security Implications of Using this Extension" section

Comments (0)

Files changed (1)

 you run the mercurial incoming command, and shows a message if a
 change is found.
 
+Security Implications of Using this Extension
+=============================================
+
+Although the extension has been designed to be as safe as possible,
+enabling and configuring this extension has security implications.
+
+The extension is secure by default, because in order to start
+receiving and updating your ``.hg/projrc`` files you must first
+whitelist the servers to transfer the file from and which settings
+to transfer.
+
+However you must be careful when including settings from untrusted
+sources because some mercurial settings allow a malicious user to
+configure mercurial to execute arbitrary code on your machine or
+change your local mercurial configuration.
+
+This means that you should only add servers you trust to your
+server list, and only include those settings that are strictly
+necessary. If you are a system administrator of a central repo that
+is meant to distribute a projrc file you should be extra careful
+to ensure that nobody modifies the projrc file without your
+permission.
 
 Sponsoring
 ==========
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.