A shell command injection flaw related to the handling of quot;sshquot; URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a quot;checkoutquot; or quot;updatequot; action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit. A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository