Skip to content

Commit

Permalink
Merge pull request #9827 from pradyunsg/fix-git-improper-tag-handling
Browse files Browse the repository at this point in the history
Don't split git references on unicode separators
  • Loading branch information
sbidoul authored Apr 24, 2021
2 parents 1320bac + 0e4938d commit e46bdda
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
3 changes: 3 additions & 0 deletions news/9827.bugfix.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
**SECURITY**: Stop splitting on unicode separators in git references,
which could be maliciously used to install a different revision on the
repository.
10 changes: 8 additions & 2 deletions src/pip/_internal/vcs/git.py
Original file line number Diff line number Diff line change
Expand Up @@ -131,9 +131,15 @@ def get_revision_sha(cls, dest, rev):
on_returncode='ignore',
)
refs = {}
for line in output.strip().splitlines():
# NOTE: We do not use splitlines here since that would split on other
# unicode separators, which can be maliciously used to install a
# different revision.
for line in output.strip().split("\n"):
line = line.rstrip("\r")
if not line:
continue
try:
ref_sha, ref_name = line.split()
ref_sha, ref_name = line.split(" ", maxsplit=2)
except ValueError:
# Include the offending line to simplify troubleshooting if
# this error ever occurs.
Expand Down

0 comments on commit e46bdda

Please sign in to comment.