Commit8b75434

authored

Merge pull request#1636 from EliahKagan/cve-2023-40590

FixCVE-2023-40590

2 parentse19abe7 +7611cd9 commit8b75434Copy full SHA for 8b75434

File tree

2 files changed

+52

-18

lines changed

git
- cmd.py
test
- test_git.py

2 files changed

+52

-18

lines changed

`‎git/cmd.py‎`

Lines changed: 21 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`# the BSD License: http://www.opensource.org/licenses/bsd-license.php`
`6`	`6`	`from __future__importannotations`
`7`	`7`	`importre`
`8`		`-fromcontextlibimportcontextmanager`
	`8`	`+importcontextlib`
`9`	`9`	`importio`
`10`	`10`	`importlogging`
`11`	`11`	`importos`
`@@ -14,6 +14,7 @@`
`14`	`14`	`importsubprocess`
`15`	`15`	`importthreading`
`16`	`16`	`fromtextwrapimportdedent`
	`17`	`+importunittest.mock`
`17`	`18`
`18`	`19`	`fromgit.compatimport (`
`19`	`20`	`defenc,`
`@@ -963,8 +964,11 @@ def execute(`
`963`	`964`	`redacted_command,`
`964`	`965`	`'"kill_after_timeout" feature is not supported on Windows.',`
`965`	`966`	`)`
	`967`	`+# Only search PATH, not CWD. This must be in the caller environment. The "1" can be any value.`
	`968`	`+patch_caller_env=unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath":"1"})`
`966`	`969`	`else:`
`967`	`970`	`cmd_not_found_exception=FileNotFoundError# NOQA # exists, flake8 unknown @UndefinedVariable`
	`971`	`+patch_caller_env=contextlib.nullcontext()`
`968`	`972`	`# end handle`
`969`	`973`
`970`	`974`	`stdout_sink=PIPEifwith_stdoutelsegetattr(subprocess,"DEVNULL",None)oropen(os.devnull,"wb")`
`@@ -980,21 +984,21 @@ def execute(`
`980`	`984`	`istream_ok,`
`981`	`985`	`)`
`982`	`986`	`try:`
`983`		`-proc=Popen(`
`984`		`-command,`
`985`		`-env=env,`
`986`		`-cwd=cwd,`
`987`		`-bufsize=-1,`
`988`		`-stdin=istreamorDEVNULL,`
`989`		`-stderr=PIPE,`
`990`		`-stdout=stdout_sink,`
`991`		`-shell=shellisnotNoneandshellorself.USE_SHELL,`
`992`		`-close_fds=is_posix,# unsupported on windows`
`993`		`-universal_newlines=universal_newlines,`
`994`		`-creationflags=PROC_CREATIONFLAGS,`
`995`		`-**subprocess_kwargs,`
`996`		`-)`
`997`		`-`
	`987`	`+withpatch_caller_env:`
	`988`	`+proc=Popen(`
	`989`	`+command,`
	`990`	`+env=env,`
	`991`	`+cwd=cwd,`
	`992`	`+bufsize=-1,`
	`993`	`+stdin=istreamorDEVNULL,`
	`994`	`+stderr=PIPE,`
	`995`	`+stdout=stdout_sink,`
	`996`	`+shell=shellisnotNoneandshellorself.USE_SHELL,`
	`997`	`+close_fds=is_posix,# unsupported on windows`
	`998`	`+universal_newlines=universal_newlines,`
	`999`	`+creationflags=PROC_CREATIONFLAGS,`
	`1000`	`+**subprocess_kwargs,`
	`1001`	`+ )`
`998`	`1002`	`exceptcmd_not_found_exceptionaserr:`
`999`	`1003`	`raiseGitCommandNotFound(redacted_command,err)fromerr`
`1000`	`1004`	`else:`
`@@ -1144,7 +1148,7 @@ def update_environment(self, **kwargs: Any) -> Dict[str, Union[str, None]]:`
`1144`	`1148`	`delself._environment[key]`
`1145`	`1149`	`returnold_env`
`1146`	`1150`
`1147`		`-@contextmanager`
	`1151`	`+@contextlib.contextmanager`
`1148`	`1152`	`defcustom_environment(self,**kwargs:Any)->Iterator[None]:`
`1149`	`1153`	`"""`
`1150`	`1154`	A context manager around the above ``update_environment`` method to restore the

`‎test/test_git.py‎`

Lines changed: 31 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,10 +4,12 @@`
`4`	`4`	`#`
`5`	`5`	`# This module is part of GitPython and is released under`
`6`	`6`	`# the BSD License: http://www.opensource.org/licenses/bsd-license.php`
	`7`	`+importcontextlib`
`7`	`8`	`importos`
	`9`	`+importshutil`
`8`	`10`	`importsubprocess`
`9`	`11`	`importsys`
`10`		`-fromtempfileimportTemporaryFile`
	`12`	`+fromtempfileimportTemporaryDirectory,TemporaryFile`
`11`	`13`	`fromunittestimportmock`
`12`	`14`
`13`	`15`	`fromgitimportGit,refresh,GitCommandError,GitCommandNotFound,Repo,cmd`
`@@ -20,6 +22,17 @@`
`20`	`22`	`fromgit.compatimportis_win`
`21`	`23`
`22`	`24`
	`25`	`+@contextlib.contextmanager`
	`26`	`+def_chdir(new_dir):`
	`27`	`+"""Context manager to temporarily change directory. Not reentrant."""`
	`28`	`+old_dir=os.getcwd()`
	`29`	`+os.chdir(new_dir)`
	`30`	`+try:`
	`31`	`+yield`
	`32`	`+finally:`
	`33`	`+os.chdir(old_dir)`
	`34`	`+`
	`35`	`+`
`23`	`36`	`classTestGit(TestBase):`
`24`	`37`	`@classmethod`
`25`	`38`	`defsetUpClass(cls):`
`@@ -75,6 +88,23 @@ def test_it_transforms_kwargs_into_git_command_arguments(self):`
`75`	`88`	`deftest_it_executes_git_to_shell_and_returns_result(self):`
`76`	`89`	`self.assertRegex(self.git.execute(["git","version"]),r"^git version [\d\.]{2}.*$")`
`77`	`90`
	`91`	`+deftest_it_executes_git_not_from_cwd(self):`
	`92`	`+withTemporaryDirectory()astmpdir:`
	`93`	`+ifis_win:`
	`94`	`+# Copy an actual binary executable that is not git.`
	`95`	`+other_exe_path=os.path.join(os.getenv("WINDIR"),"system32","hostname.exe")`
	`96`	`+impostor_path=os.path.join(tmpdir,"git.exe")`
	`97`	`+shutil.copy(other_exe_path,impostor_path)`
	`98`	`+else:`
	`99`	`+# Create a shell script that doesn't do anything.`
	`100`	`+impostor_path=os.path.join(tmpdir,"git")`
	`101`	`+withopen(impostor_path,mode="w",encoding="utf-8")asfile:`
	`102`	`+print("#!/bin/sh",file=file)`
	`103`	`+os.chmod(impostor_path,0o755)`
	`104`	`+`
	`105`	`+with_chdir(tmpdir):`
	`106`	`+self.assertRegex(self.git.execute(["git","version"]),r"^git version\b")`
	`107`	`+`
`78`	`108`	`deftest_it_accepts_stdin(self):`
`79`	`109`	`filename=fixture_path("cat_file_blob")`
`80`	`110`	`withopen(filename,"r")asfh:`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit8b75434

File tree

2 files changed

2 files changed

`‎git/cmd.py‎`

`‎test/test_git.py‎`

0 commit comments