wombelix / pagure

Forked from pagure 2 years ago
Clone

2803a7a fix: _update_file_in_git() follows symbolic links in temporary clones

1 file Authored by wombelix 4 months ago, Committed by wombelix 4 months ago,
    fix: _update_file_in_git() follows symbolic links in temporary clones
    
    Bail out if file path is outside the temp repo or inside the '.git/' folder.
    This avoids data leak and unauthorized changes in files or git config.
    
    Vulnerability discovered by Thomas Chauchefoin <thomas@chauchefoin.fr>
    
    Fixes: rhbz#2278745, rhbz#2280725, rhbz#2280723, CVE-2024-4981
    
    Signed-off-by: Dominik Wombacher <dominik@wombacher.cc>
    
        
file modified
+9 -1