pagure

Clone

#5481 Separate options and operands in PagureRepo.log()
Merged 11 months ago by wombelix. Opened 11 months ago by wombelix.
wombelix/pagure fix_security_issue_rhbz2277121_argument_injection  into  master

file modified
+1 
@@ -149,6 +149,7 @@ 
 

          cmd = ["git", "log"]
 

          if log_options:
 

              cmd.extend(log_options)
 

+         cmd.append("--end-of-options")
 

          if fromref:
 

              cmd.append(fromref)
 

          if target:

Prevent the injection of additional options to the Git command-line
by adding the (non-standard) --end-of-option flag before any
user-controlled value. This was reachable from view_history_file().

Fixes: rhbz#2277121, 6a1d002 ("Add a method to run git log using the system's git")
Signed-off-by: Thomas Chauchefoin thomas@chauchefoin.fr

Metadata Update from @wombelix:
- Request assigned
11 months ago

Patch reviewed and validated in Bugzilla. Tests performed locally, all passed.

Pull-Request has been merged by wombelix
11 months ago
Metadata
No Tags
Changes Summary 1
+1 -0
file changed
pagure/lib/repo.py
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.