Blob Blame History Raw
From d135e45152a88b896b1d3e8770d5d59f694c2419 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Tue, 8 Jun 2021 10:08:49 +0200
Subject: [PATCH] CVE-2021-3572

---
 src/pip/_internal/vcs/git.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
index a9c7fb6..b38625e 100644
--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
@@ -142,9 +142,15 @@ class Git(VersionControl):
             pass
 
         refs = {}
-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
             try:
-                sha, ref = line.split()
+                sha, ref = line.split(" ", maxsplit=2)
             except ValueError:
                 # Include the offending line to simplify troubleshooting if
                 # this error ever occurs.
-- 
2.31.1