rpms / git

Clone
Source Code
GIT

Blame SOURCES/git-cve-2020-5260.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   beabc5a77d272977ff061b1dee878fc31b121028
  2.   SOURCES
  3.   git-cve-2020-5260.patch
Blob History Raw
beabc5 
diff -ur b/credential.c a/credential.c
beabc5 
--- b/credential.c	2020-04-14 14:15:41.637223958 +0200
beabc5 
+++ a/credential.c	2020-04-14 14:59:03.325862182 +0200
beabc5 
@@ -190,6 +190,8 @@
beabc5 
 {
beabc5 
 	if (!value)
beabc5 
 		return;
beabc5 
+	if (strchr(value, '\n'))
beabc5 
+		die("credential value for %s contains newline", key);
beabc5 
 	fprintf(fp, "%s=%s\n", key, value);
beabc5 
 }
beabc5
beabc5 
diff -ur b/t/t0300-credentials.sh a/t/t0300-credentials.sh
beabc5 
--- b/t/t0300-credentials.sh	2020-04-14 14:15:41.569223126 +0200
beabc5 
+++ a/t/t0300-credentials.sh	2020-04-14 15:00:01.331571252 +0200
beabc5 
@@ -289,4 +289,10 @@
beabc5 
 	EOF
beabc5 
 '
beabc5
beabc5 
+test_expect_success 'url parser rejects embedded newlines' '
beabc5 
+	test_must_fail git credential fill <<-\EOF
beabc5 
+	url=https://one.example.com?%0ahost=two.example.com/
beabc5 
+	EOF
beabc5 
+'
beabc5 
+
beabc5 
 test_done

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation