From affcebf0f99281ef29f6d8b976e77fadf0ea96c5 Mon Sep 17 00:00:00 2001 From: Thomas Chauchefoin Date: May 18 2024 21:03:42 +0000 Subject: Separate options and operands in PagureRepo.log() Prevent the injection of additional options to the Git command-line by adding the (non-standard) --end-of-option flag before any user-controlled value. This was reachable from view_history_file(). Fixes: rhbz#2277121, 6a1d002 ("Add a method to run git log using the system's git") Signed-off-by: Thomas Chauchefoin --- diff --git a/pagure/lib/repo.py b/pagure/lib/repo.py index 524ea28..fd87c3f 100644 --- a/pagure/lib/repo.py +++ b/pagure/lib/repo.py @@ -149,6 +149,7 @@ class PagureRepo(pygit2.Repository): cmd = ["git", "log"] if log_options: cmd.extend(log_options) + cmd.append("--end-of-options") if fromref: cmd.append(fromref) if target: