Skip to content

Commit 64ebb9f

Browse files
facutuescafacutuesca
committed
This change adds a check during reference resolving to see if it contains an up-level reference ('..'). If it does, it raises an exception. This fixes CVE-2023-41040, which allows an attacker to access files outside the repository's directory.
1 parent 91b464c commit 64ebb9f

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

git/refs/symbolic.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
168168
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
169169
rela_path points to, or None. target_ref_path is the reference we
170170
point to, or None"""
171+
if ".." in str(ref_path):
172+
raise ValueError(f"Invalid reference '{ref_path}'")
171173
tokens: Union[None, List[str], Tuple[str, str]] = None
172174
repodir = _git_dir(repo, ref_path)
173175
try:

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy