29 lines
1.1 KiB
Diff
29 lines
1.1 KiB
Diff
From 64ebb9fcdfbe48d5d61141a557691fd91f1e88d6 Mon Sep 17 00:00:00 2001
|
|
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
|
|
Date: Tue, 5 Sep 2023 09:51:50 +0200
|
|
Subject: [PATCH] Fix CVE-2023-41040
|
|
|
|
This change adds a check during reference resolving to see if it
|
|
contains an up-level reference ('..'). If it does, it raises an
|
|
exception.
|
|
|
|
This fixes CVE-2023-41040, which allows an attacker to access files
|
|
outside the repository's directory.
|
|
---
|
|
git/refs/symbolic.py | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
|
|
index 33c3bf15b..5c293aa7b 100644
|
|
--- a/git/refs/symbolic.py
|
|
+++ b/git/refs/symbolic.py
|
|
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
|
|
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
|
|
rela_path points to, or None. target_ref_path is the reference we
|
|
point to, or None"""
|
|
+ if ".." in str(ref_path):
|
|
+ raise ValueError(f"Invalid reference '{ref_path}'")
|
|
tokens: Union[None, List[str], Tuple[str, str]] = None
|
|
repodir = _git_dir(repo, ref_path)
|
|
try:
|