Learn more about these different git repos.
Other Git URLs
The SCM blacklist does not normalize paths, which means that if you blacklist /forks, ./forks is still possible.
A patch for this is attached. <img alt="0001-Run-normpath-over-SCM-url-when-checking-against-allo.patch" src="/koji/issue/raw/0c66cbc58c60def6f701bf75f04032b8261a8c4c0d8ac6e93af92931b476f49e-0001-Run-normpath-over-SCM-url-when-checking-against-allo.patch" />
Retrying attach...
<img alt="0001-Run-normpath-over-SCM-url-when-checking-against-allo.patch" src="/koji/issue/raw/files/0c66cbc58c60def6f701bf75f04032b8261a8c4c0d8ac6e93af92931b476f49e-0001-Run-normpath-over-SCM-url-when-checking-against-allo.patch" />
Thanks, looks fine. I'll merge this before 1.14
Metadata Update from @mikem: - Issue set to the milestone: 1.14
This issue has been assigned CVE-2017-1002153.
<img alt="0001-fix-up-url-checks-and-extend-unit-tests-for-this-iss.patch" src="/koji/issue/raw/files/ef6a463bb98ff321d078d27b284d88b00a4784f832f5c84befcc4c29aa035645-0001-fix-up-url-checks-and-extend-unit-tests-for-this-iss.patch" />
The previous patch adjusts some checks, extends the unit tests to cover the sorts of urls we're concerned with, and preserves our code coverage.
It also catches paths starting with //, which normpath for some reason does not.
This patch looks good to me.
Side note: here is the reason normpath allows // at the beginning:
//
https://unix.stackexchange.com/questions/12283/unix-difference-between-path-starting-with-and
This is not applicable in any of our urls, so our squashing of // to / is correct.
/
Metadata Update from @mikem: - Issue private status set to: False (was: True)
Commit ba7b5a3 fixes this issue
Login to comment on this ticket.