7d0f2b
diff --git a/hgext/convert/common.py b/hgext/convert/common.py
7d0f2b
index e27346b..842ae71 100644
7d0f2b
--- a/hgext/convert/common.py
7d0f2b
+++ b/hgext/convert/common.py
7d0f2b
@@ -295,6 +295,9 @@ class commandline(object):
7d0f2b
     def _run2(self, cmd, *args, **kwargs):
7d0f2b
         return self._dorun(util.popen2, cmd, *args, **kwargs)
7d0f2b
 
7d0f2b
+    def _run3(self, cmd, *args, **kwargs):
7d0f2b
+        return self._dorun(util.popen3, cmd, *args, **kwargs)
7d0f2b
+
7d0f2b
     def _dorun(self, openfunc, cmd,  *args, **kwargs):
7d0f2b
         cmdline = self._cmdline(cmd, *args, **kwargs)
7d0f2b
         self.ui.debug('running: %s\n' % (cmdline,))
7d0f2b
diff --git a/hgext/convert/git.py b/hgext/convert/git.py
7d0f2b
index 3fd0884..8123b55 100644
7d0f2b
--- a/hgext/convert/git.py
7d0f2b
+++ b/hgext/convert/git.py
7d0f2b
@@ -7,11 +7,11 @@
7d0f2b
 
7d0f2b
 import os
7d0f2b
 import subprocess
7d0f2b
-from mercurial import util, config
7d0f2b
+from mercurial import util, config, error
7d0f2b
 from mercurial.node import hex, nullid
7d0f2b
 from mercurial.i18n import _
7d0f2b
 
7d0f2b
-from common import NoRepo, commit, converter_source, checktool
7d0f2b
+from common import NoRepo, commit, converter_source, checktool, commandline
7d0f2b
 
7d0f2b
 class submodule(object):
7d0f2b
     def __init__(self, path, node, url):
7d0f2b
@@ -25,54 +25,32 @@ class submodule(object):
7d0f2b
     def hgsubstate(self):
7d0f2b
         return "%s %s" % (self.node, self.path)
7d0f2b
 
7d0f2b
-class convert_git(converter_source):
7d0f2b
+class convert_git(converter_source, commandline):
7d0f2b
     # Windows does not support GIT_DIR= construct while other systems
7d0f2b
     # cannot remove environment variable. Just assume none have
7d0f2b
     # both issues.
7d0f2b
-    if util.safehasattr(os, 'unsetenv'):
7d0f2b
-        def gitopen(self, s, err=None):
7d0f2b
-            prevgitdir = os.environ.get('GIT_DIR')
7d0f2b
-            os.environ['GIT_DIR'] = self.path
7d0f2b
-            try:
7d0f2b
-                if err == subprocess.PIPE:
7d0f2b
-                    (stdin, stdout, stderr) = util.popen3(s)
7d0f2b
-                    return stdout
7d0f2b
-                elif err == subprocess.STDOUT:
7d0f2b
-                    return self.popen_with_stderr(s)
7d0f2b
-                else:
7d0f2b
-                    return util.popen(s, 'rb')
7d0f2b
-            finally:
7d0f2b
-                if prevgitdir is None:
7d0f2b
-                    del os.environ['GIT_DIR']
7d0f2b
-                else:
7d0f2b
-                    os.environ['GIT_DIR'] = prevgitdir
7d0f2b
-    else:
7d0f2b
-        def gitopen(self, s, err=None):
7d0f2b
-            if err == subprocess.PIPE:
7d0f2b
-                (sin, so, se) = util.popen3('GIT_DIR=%s %s' % (self.path, s))
7d0f2b
-                return so
7d0f2b
-            elif err == subprocess.STDOUT:
7d0f2b
-                    return self.popen_with_stderr(s)
7d0f2b
-            else:
7d0f2b
-                return util.popen('GIT_DIR=%s %s' % (self.path, s), 'rb')
7d0f2b
-
7d0f2b
-    def popen_with_stderr(self, s):
7d0f2b
-        p = subprocess.Popen(s, shell=True, bufsize=-1,
7d0f2b
-                             close_fds=util.closefds,
7d0f2b
-                             stdin=subprocess.PIPE,
7d0f2b
-                             stdout=subprocess.PIPE,
7d0f2b
-                             stderr=subprocess.STDOUT,
7d0f2b
-                             universal_newlines=False,
7d0f2b
-                             env=None)
7d0f2b
-        return p.stdout
7d0f2b
-
7d0f2b
-    def gitread(self, s):
7d0f2b
-        fh = self.gitopen(s)
7d0f2b
-        data = fh.read()
7d0f2b
-        return data, fh.close()
7d0f2b
+
7d0f2b
+    def _gitcmd(self, cmd, *args, **kwargs):
7d0f2b
+        return cmd('--git-dir=%s' % self.path, *args, **kwargs)
7d0f2b
+
7d0f2b
+    def gitrun0(self, *args, **kwargs):
7d0f2b
+        return self._gitcmd(self.run0, *args, **kwargs)
7d0f2b
+
7d0f2b
+    def gitrun(self, *args, **kwargs):
7d0f2b
+        return self._gitcmd(self.run, *args, **kwargs)
7d0f2b
+
7d0f2b
+    def gitrunlines0(self, *args, **kwargs):
7d0f2b
+        return self._gitcmd(self.runlines0, *args, **kwargs)
7d0f2b
+
7d0f2b
+    def gitrunlines(self, *args, **kwargs):
7d0f2b
+        return self._gitcmd(self.runlines, *args, **kwargs)
7d0f2b
+
7d0f2b
+    def gitpipe(self, *args, **kwargs):
7d0f2b
+        return self._gitcmd(self._run3, *args, **kwargs)
7d0f2b
 
7d0f2b
     def __init__(self, ui, path, rev=None):
7d0f2b
         super(convert_git, self).__init__(ui, path, rev=rev)
7d0f2b
+        commandline.__init__(self, ui, 'git')
7d0f2b
 
7d0f2b
         if os.path.isdir(path + "/.git"):
7d0f2b
             path += "/.git"
7d0f2b
@@ -86,11 +64,11 @@ class convert_git(converter_source):
7d0f2b
 
7d0f2b
     def getheads(self):
7d0f2b
         if not self.rev:
7d0f2b
-            heads, ret = self.gitread('git rev-parse --branches --remotes')
7d0f2b
-            heads = heads.splitlines()
7d0f2b
+            output, ret = self.gitrun('rev-parse', '--branches', '--remotes')
7d0f2b
+            heads = output.splitlines()
7d0f2b
         else:
7d0f2b
-            heads, ret = self.gitread("git rev-parse --verify %s" % self.rev)
7d0f2b
-            heads = [heads[:-1]]
7d0f2b
+            rawhead, ret = self.gitrun('rev-parse', '--verify', self.rev)
7d0f2b
+            heads = [rawhead[:-1]]
7d0f2b
         if ret:
7d0f2b
             raise util.Abort(_('cannot retrieve git heads'))
7d0f2b
         return heads
7d0f2b
@@ -98,7 +76,7 @@ class convert_git(converter_source):
7d0f2b
     def catfile(self, rev, type):
7d0f2b
         if rev == hex(nullid):
7d0f2b
             raise IOError
7d0f2b
-        data, ret = self.gitread("git cat-file %s %s" % (type, rev))
7d0f2b
+        data, ret = self.gitrun('cat-file', type, rev)
7d0f2b
         if ret:
7d0f2b
             raise util.Abort(_('cannot read %r object at %s') % (type, rev))
7d0f2b
         return data
7d0f2b
@@ -137,25 +115,28 @@ class convert_git(converter_source):
7d0f2b
                 self.submodules.append(submodule(s['path'], '', s['url']))
7d0f2b
 
7d0f2b
     def retrievegitmodules(self, version):
7d0f2b
-        modules, ret = self.gitread("git show %s:%s" % (version, '.gitmodules'))
7d0f2b
+        modules, ret = self.gitrun('show', '%s:%s' % (version, '.gitmodules'))
7d0f2b
         if ret:
7d0f2b
             raise util.Abort(_('cannot read submodules config file in %s') %
7d0f2b
                              version)
7d0f2b
         self.parsegitmodules(modules)
7d0f2b
         for m in self.submodules:
7d0f2b
-            node, ret = self.gitread("git rev-parse %s:%s" % (version, m.path))
7d0f2b
+            node, ret = self.gitrun('rev-parse', '%s:%s' % (version, m.path))
7d0f2b
             if ret:
7d0f2b
                 continue
7d0f2b
             m.node = node.strip()
7d0f2b
 
7d0f2b
     def getchanges(self, version):
7d0f2b
         self.modecache = {}
7d0f2b
-        fh = self.gitopen("git diff-tree -z --root -m -r %s" % version)
7d0f2b
+        cmd = ['diff-tree','-z', '--root', '-m', '-r'] + [version]
7d0f2b
+        output, status = self.gitrun(*cmd)
7d0f2b
+        if status:
7d0f2b
+            raise error.Abort(_('cannot read changes in %s') % version)
7d0f2b
         changes = []
7d0f2b
         seen = set()
7d0f2b
         entry = None
7d0f2b
         subexists = False
7d0f2b
-        for l in fh.read().split('\x00'):
7d0f2b
+        for l in output.split('\x00'):
7d0f2b
             if not entry:
7d0f2b
                 if not l.startswith(':'):
7d0f2b
                     continue
7d0f2b
@@ -178,8 +159,6 @@ class convert_git(converter_source):
7d0f2b
                     self.modecache[(f, h)] = (p and "x") or (s and "l") or ""
7d0f2b
                     changes.append((f, h))
7d0f2b
             entry = None
7d0f2b
-        if fh.close():
7d0f2b
-            raise util.Abort(_('cannot read changes in %s') % version)
7d0f2b
 
7d0f2b
         if subexists:
7d0f2b
             self.retrievegitmodules(version)
7d0f2b
@@ -224,12 +203,14 @@ class convert_git(converter_source):
7d0f2b
     def gettags(self):
7d0f2b
         tags = {}
7d0f2b
         alltags = {}
7d0f2b
-        fh = self.gitopen('git ls-remote --tags "%s"' % self.path,
7d0f2b
-                          err=subprocess.STDOUT)
7d0f2b
+        output, status = self.gitrunlines('ls-remote', '--tags', self.path)
7d0f2b
+
7d0f2b
+        if status:
7d0f2b
+            raise error.Abort(_('cannot read tags from %s') % self.path)
7d0f2b
         prefix = 'refs/tags/'
7d0f2b
 
7d0f2b
         # Build complete list of tags, both annotated and bare ones
7d0f2b
-        for line in fh:
7d0f2b
+        for line in output:
7d0f2b
             line = line.strip()
7d0f2b
             if line.startswith("error:") or line.startswith("fatal:"):
7d0f2b
                 raise util.Abort(_('cannot read tags from %s') % self.path)
7d0f2b
@@ -237,8 +218,6 @@ class convert_git(converter_source):
7d0f2b
             if not tag.startswith(prefix):
7d0f2b
                 continue
7d0f2b
             alltags[tag[len(prefix):]] = node
7d0f2b
-        if fh.close():
7d0f2b
-            raise util.Abort(_('cannot read tags from %s') % self.path)
7d0f2b
 
7d0f2b
         # Filter out tag objects for annotated tag refs
7d0f2b
         for tag in alltags:
7d0f2b
@@ -255,18 +234,20 @@ class convert_git(converter_source):
7d0f2b
     def getchangedfiles(self, version, i):
7d0f2b
         changes = []
7d0f2b
         if i is None:
7d0f2b
-            fh = self.gitopen("git diff-tree --root -m -r %s" % version)
7d0f2b
-            for l in fh:
7d0f2b
+            output, status = self.gitrunlines('diff-tree', '--root', '-m',
7d0f2b
+                                              '-r', version)
7d0f2b
+            if status:
7d0f2b
+                raise error.Abort(_('cannot read changes in %s') % version)
7d0f2b
+            for l in output:
7d0f2b
                 if "\t" not in l:
7d0f2b
                     continue
7d0f2b
                 m, f = l[:-1].split("\t")
7d0f2b
                 changes.append(f)
7d0f2b
         else:
7d0f2b
-            fh = self.gitopen('git diff-tree --name-only --root -r %s '
7d0f2b
-                              '"%s^%s" --' % (version, version, i + 1))
7d0f2b
-            changes = [f.rstrip('\n') for f in fh]
7d0f2b
-        if fh.close():
7d0f2b
-            raise util.Abort(_('cannot read changes in %s') % version)
7d0f2b
+            output, status = self.gitrunlines('diff-tree', '--name-only',
7d0f2b
+                                              '--root', '-r', version,
7d0f2b
+                                              '%s^%s' % (version, i + 1), '--')
7d0f2b
+            changes = [f.rstrip('\n') for f in output]
7d0f2b
 
7d0f2b
         return changes
7d0f2b
 
7d0f2b
@@ -278,14 +259,14 @@ class convert_git(converter_source):
7d0f2b
         prefixlen = len(prefix)
7d0f2b
 
7d0f2b
         # factor two commands
7d0f2b
-        gitcmd = { 'remote/': 'git ls-remote --heads origin',
7d0f2b
-                          '': 'git show-ref'}
7d0f2b
+        gitcmd = { 'remote/': ['ls-remote', '--heads origin'],
7d0f2b
+                          '': ['show-ref']}
7d0f2b
 
7d0f2b
         # Origin heads
7d0f2b
         for reftype in gitcmd:
7d0f2b
             try:
7d0f2b
-                fh = self.gitopen(gitcmd[reftype], err=subprocess.PIPE)
7d0f2b
-                for line in fh:
7d0f2b
+                output, status = self.gitrunlines(*gitcmd[reftype])
7d0f2b
+                for line in output:
7d0f2b
                     line = line.strip()
7d0f2b
                     rev, name = line.split(None, 1)
7d0f2b
                     if not name.startswith(prefix):
7d0f2b
7d0f2b
diff --git a/tests/test-convert-git.t b/tests/test-convert-git.t
7d0f2b
index 21f18d2..7eb068b 100644
7d0f2b
--- a/tests/test-convert-git.t
7d0f2b
+++ b/tests/test-convert-git.t
7d0f2b
@@ -341,7 +341,7 @@ damage git repository by renaming a commit object
7d0f2b
   $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd
7d0f2b
   $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp
7d0f2b
   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'
7d0f2b
-  abort: cannot read tags from git-repo4/.git
7d0f2b
+  abort: cannot retrieve number of commits in git-repo4/.git
7d0f2b
   $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ
7d0f2b
 damage git repository by renaming a blob object
7d0f2b
 
7d0f2b
@@ -356,3 +356,20 @@ damage git repository by renaming a tree object
7d0f2b
   $ mv git-repo4/.git/objects/$TREE_OBJ git-repo4/.git/objects/$TREE_OBJ.tmp
7d0f2b
   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'
7d0f2b
   abort: cannot read changes in 1c0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd
7d0f2b
+
7d0f2b
+test for escaping the repo name (CVE-2016-3069)
7d0f2b
+
7d0f2b
+  $ git init '`echo pwned >COMMAND-INJECTION`'
7d0f2b
+  Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/
7d0f2b
+  $ cd '`echo pwned >COMMAND-INJECTION`'
7d0f2b
+  $ git commit -q --allow-empty -m 'empty'
7d0f2b
+  $ cd ..
7d0f2b
+  $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted'
7d0f2b
+  initializing destination converted repository
7d0f2b
+  scanning source...
7d0f2b
+  sorting...
7d0f2b
+  converting...
7d0f2b
+  0 empty
7d0f2b
+  updating bookmarks
7d0f2b
+  $ test -f COMMAND-INJECTION
7d0f2b
+  [1]