|
 |
1a9f8e |
From 4f0099156245ed2873d6945d5e58db741e15836d Mon Sep 17 00:00:00 2001
|
|
|
1a9f8e |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
1a9f8e |
Date: Tue, 8 Jun 2021 09:51:47 +0200
|
|
|
1a9f8e |
Subject: [PATCH] CVE-2021-3572
|
|
|
1a9f8e |
|
|
|
1a9f8e |
---
|
|
|
1a9f8e |
src/pip/_internal/vcs/git.py | 10 ++++++++--
|
|
|
1a9f8e |
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
1a9f8e |
|
|
|
1a9f8e |
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
|
|
|
1a9f8e |
index 92b8457..7b3cc4a 100644
|
|
|
1a9f8e |
--- a/src/pip/_internal/vcs/git.py
|
|
|
1a9f8e |
+++ b/src/pip/_internal/vcs/git.py
|
|
|
1a9f8e |
@@ -120,9 +120,15 @@ class Git(VersionControl):
|
|
|
1a9f8e |
output = cls.run_command(['show-ref', rev], cwd=dest,
|
|
|
1a9f8e |
show_stdout=False, on_returncode='ignore')
|
|
|
1a9f8e |
refs = {}
|
|
|
1a9f8e |
- for line in output.strip().splitlines():
|
|
|
1a9f8e |
+ # NOTE: We do not use splitlines here since that would split on other
|
|
|
1a9f8e |
+ # unicode separators, which can be maliciously used to install a
|
|
|
1a9f8e |
+ # different revision.
|
|
|
1a9f8e |
+ for line in output.strip().split("\n"):
|
|
|
1a9f8e |
+ line = line.rstrip("\r")
|
|
|
1a9f8e |
+ if not line:
|
|
|
1a9f8e |
+ continue
|
|
|
1a9f8e |
try:
|
|
|
1a9f8e |
- sha, ref = line.split()
|
|
|
1a9f8e |
+ sha, ref = line.split(" ", maxsplit=2)
|
|
|
1a9f8e |
except ValueError:
|
|
|
1a9f8e |
# Include the offending line to simplify troubleshooting if
|
|
|
1a9f8e |
# this error ever occurs.
|
|
|
1a9f8e |
--
|
|
|
1a9f8e |
2.31.1
|
|
|
1a9f8e |
|