Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit54709d9

Browse files
committed
Fix leaking environment variables
1 parentcf8dc25 commit54709d9

File tree

1 file changed

+18
-6
lines changed

1 file changed

+18
-6
lines changed

‎git/repo/base.py

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
importos
1010
importre
1111
importsys
12+
importwarnings
1213

1314
fromgit.cmdimport (
1415
Git,
@@ -50,8 +51,11 @@
5051
__all__= ('Repo',)
5152

5253

53-
def_expand_path(p):
54-
returnosp.normpath(osp.abspath(osp.expandvars(osp.expanduser(p))))
54+
def_expand_path(p,unsafe=True):
55+
ifunsafe:
56+
returnosp.normpath(osp.abspath(osp.expandvars(osp.expanduser(p))))
57+
else:
58+
returnosp.normpath(osp.abspath(osp.expanduser(p)))
5559

5660

5761
classRepo(object):
@@ -90,7 +94,7 @@ class Repo(object):
9094
# Subclasses may easily bring in their own custom types by placing a constructor or type here
9195
GitCommandWrapperType=Git
9296

93-
def__init__(self,path=None,odbt=DefaultDBType,search_parent_directories=False):
97+
def__init__(self,path=None,odbt=DefaultDBType,search_parent_directories=False,unsafe=True):
9498
"""Create a new Repo instance
9599
96100
:param path:
@@ -121,7 +125,10 @@ def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=Fals
121125
epath=os.getcwd()
122126
ifGit.is_cygwin():
123127
epath=decygpath(epath)
124-
epath=_expand_path(epathorpathoros.getcwd())
128+
ifunsafeand ("%"inepathor"$"inepath):
129+
warnings.warn("The use of environment variables in paths is deprecated"
130+
+"\nfor security reasons and may be removed in the future!!")
131+
epath=_expand_path(epathorpathoros.getcwd(),unsafe)
125132
ifnotos.path.exists(epath):
126133
raiseNoSuchPathError(epath)
127134

@@ -148,7 +155,7 @@ def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=Fals
148155
sm_gitpath=find_worktree_git_dir(dotgit)
149156

150157
ifsm_gitpathisnotNone:
151-
self.git_dir=_expand_path(sm_gitpath)
158+
self.git_dir=_expand_path(sm_gitpath,unsafe)
152159
self._working_tree_dir=curpath
153160
break
154161

@@ -862,12 +869,17 @@ def init(cls, path=None, mkdir=True, odbt=DefaultDBType, **kwargs):
862869
the directory containing the database objects, i.e. .git/objects.
863870
It will be used to access all object data
864871
872+
:param unsafe:
873+
if specified, environment variables will not be escaped. This
874+
can lead to information disclosure, allowing attackers to
875+
access the contents of environment variables
876+
865877
:parm kwargs:
866878
keyword arguments serving as additional options to the git-init command
867879
868880
:return: ``git.Repo`` (the newly created repo)"""
869881
ifpath:
870-
path=_expand_path(path)
882+
path=_expand_path(path,unsafe)
871883
ifmkdirandpathandnotosp.exists(path):
872884
os.makedirs(path,0o755)
873885

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp