pool/python-GitPython
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
python-GitPython/CVE-2023-41040.patch
Dirk Mueller 706e74aae0 - drop of CVE-2023-41040.patch because it included in upstream version 
- drop of test-skips.patch
- drop of test_blocking_lock_file-extra-time.patch
- Update to version 3.1.43:
  * Issue and test deprecation warnings by @EliahKagan in #1886
  * Fix version_info cache invalidation, typing, parsing, and serialization by @EliahKagan in #1838
  * Document manual refresh path treatment by @EliahKagan in #1839
  * Improve static typing and docstrings related to git object types by @EliahKagan in #1859
  * Fix release link in changelog by @PeterJCLaw in #1795
  * Remove test dependency on sumtypes library by @EliahKagan in #1798
  * Pin Sphinx plugins to compatible versions by @EliahKagan in #1803
  * fix: treeNotSorted issue by @et-repositories in #1799
  * Remove git.util.NullHandler by @EliahKagan in #1807
  * Clarify why GIT_PYTHON_GIT_EXECUTABLE may be set on failure by @EliahKagan in #1810
  * Report actual attempted Git command when Git.refresh fails by @EliahKagan in #1812
  * Don't suppress messages when logging is not configured by @EliahKagan in #1813
  * Pin Python 3.9.16 on Cygwin CI by @EliahKagan in #1814
  * Have initial refresh use a logger to warn by @EliahKagan in #1815
  * Omit warning prefix in "Bad git executable" message by @EliahKagan in #1816
  * Test with M1 macOS CI runner by @EliahKagan in #1817
  * Bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #1818
  * Bump Vampire/setup-wsl from 2.0.2 to 3.0.0 by @dependabot in #1819
  * Remove deprecated section in README.md by @marcm-ml in #1823
  * Keep temp files out of project dir and improve cleanup by @EliahKagan in #1825
  * Add __all__ in git.exc by @EliahKagan in #1719
  * Set submodule update cadence to weekly by @EliahKagan in #1721
  * Never modify sys.path by @EliahKagan in #1720
  * Bump git/ext/gitdb from 8ec2390 to ec58b7e by @dependabot in #1722
  * Revise comments, docstrings, some messages, and a bit of code by @EliahKagan in #1725
  * Use zero-argument super() by @EliahKagan in #1726
  * Remove obsolete note in _iter_packed_refs by @EliahKagan in #1727
  * Reorganize test_util and make xfail marks precise by @EliahKagan in #1729
  * Clarify license and make module top comments more consistent by @EliahKagan in #1730
  * Deprecate compat.is_, rewriting all uses by @EliahKagan in #1732
  * Revise and restore some module docstrings by @EliahKagan in #1735
  * Make the rmtree callback Windows-only by @EliahKagan in #1739
  * List all non-passing tests in test summaries by @EliahKagan in #1740
  * Document some minor subtleties in test_util.py by @EliahKagan in #1749
  * Always read metadata files as UTF-8 in setup.py by @EliahKagan in #1748
  * Test native Windows on CI by @EliahKagan in #1745
  * Test macOS on CI by @EliahKagan in #1752
  * Let close_fds be True on all platforms by @EliahKagan in #1753
  * Fix IndexFile.from_tree on Windows by @EliahKagan in #1751
  * Remove unused TASKKILL fallback in AutoInterrupt by @EliahKagan in #1754
  * Don't return with operand when conceptually void by @EliahKagan in #1755
  * Group .gitignore entries by purpose by @EliahKagan in #1758

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-GitPython?expand=0&rev=59
2024-11-19 21:05:53 +00:00

54 lines
2.0 KiB
Diff
Raw Blame History

diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
index 33c3bf15b..5c293aa7b 100644
--- a/git/refs/symbolic.py
+++ b/git/refs/symbolic.py
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
rela_path points to, or None. target_ref_path is the reference we
point to, or None"""
+ if ".." in str(ref_path):
+ raise ValueError(f"Invalid reference '{ref_path}'")
tokens: Union[None, List[str], Tuple[str, str]] = None
repodir = _git_dir(repo, ref_path)
try:
diff --git a/test/test_refs.py b/test/test_refs.py
index 4c421767e..e7526c3b2 100644
--- a/test/test_refs.py
+++ b/test/test_refs.py
@@ -5,6 +5,7 @@
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
from itertools import chain
+from pathlib import Path
from git import (
Reference,
@@ -20,9 +21,11 @@
from git.objects.tag import TagObject
from test.lib import TestBase, with_rw_repo
from git.util import Actor
+from gitdb.exc import BadName
import git.refs as refs
import os.path as osp
+import tempfile
class TestRefs(TestBase):
@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
def test_reflog(self):
assert isinstance(self.rorepo.heads.master.log(), RefLog)
+
+ def test_refs_outside_repo(self):
+ # Create a file containing a valid reference outside the repository. Attempting
+ # to access it should raise an exception, due to it containing a parent directory
+ # reference ('..'). This tests for CVE-2023-41040.
+ git_dir = Path(self.rorepo.git_dir)
+ repo_parent_dir = git_dir.parent.parent
+ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
+ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
+ ref_file.flush()
+ ref_file_name = Path(ref_file.name).name
+ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")
Reference in New Issue View Git Blame Copy Permalink