File: CVE-2023-40267.patch

package info (click to toggle)
python-git 3.1.30-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 2,596 kB
  • sloc: python: 15,725; makefile: 80; sh: 28
file content (60 lines) | stat: -rw-r--r-- 2,510 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
From 5c59e0d63da6180db8a0b349f0ad36fef42aceed Mon Sep 17 00:00:00 2001
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 10 Jul 2023 16:10:10 +0200
Subject: [PATCH] Block insecure non-multi options in clone/clone_from
 Follow-up to #1521

---
 git/repo/base.py  |  2 ++
 test/test_repo.py | 24 +++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

--- python-git-3.1.30.orig/git/repo/base.py
+++ python-git-3.1.30/git/repo/base.py
@@ -1188,6 +1188,8 @@ class Repo(object):
 
         if not allow_unsafe_protocols:
             Git.check_unsafe_protocols(str(url))
+        if not allow_unsafe_options:
+            Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=cls.unsafe_git_clone_options)
         if not allow_unsafe_options and multi_options:
             Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)
 
--- python-git-3.1.30.orig/test/test_repo.py
+++ python-git-3.1.30/test/test_repo.py
@@ -281,6 +281,17 @@ class TestRepo(TestBase):
                 rw_repo.clone(tmp_dir, multi_options=[unsafe_option])
             assert not tmp_file.exists()
 
+        unsafe_options = [
+            {"upload-pack": f"touch {tmp_file}"},
+            {"u": f"touch {tmp_file}"},
+            {"config": "protocol.ext.allow=always"},
+            {"c": "protocol.ext.allow=always"},
+        ]
+        for unsafe_option in unsafe_options:
+            with self.assertRaises(UnsafeOptionError):
+                rw_repo.clone(tmp_dir, **unsafe_option)
+            assert not tmp_file.exists()
+
     @with_rw_repo("HEAD")
     def test_clone_unsafe_options_allowed(self, rw_repo):
         tmp_dir = pathlib.Path(tempfile.mkdtemp())
@@ -337,6 +348,17 @@ class TestRepo(TestBase):
                 Repo.clone_from(rw_repo.working_dir, tmp_dir, multi_options=[unsafe_option])
             assert not tmp_file.exists()
 
+        unsafe_options = [
+            {"upload-pack": f"touch {tmp_file}"},
+            {"u": f"touch {tmp_file}"},
+            {"config": "protocol.ext.allow=always"},
+            {"c": "protocol.ext.allow=always"},
+        ]
+        for unsafe_option in unsafe_options:
+            with self.assertRaises(UnsafeOptionError):
+                Repo.clone_from(rw_repo.working_dir, tmp_dir, **unsafe_option)
+            assert not tmp_file.exists()
+
     @with_rw_repo("HEAD")
     def test_clone_from_unsafe_options_allowed(self, rw_repo):
         tmp_dir = pathlib.Path(tempfile.mkdtemp())