Skip to content

Commit c8ca3ca

Browse files
carlosmnpks-t
carlosmn
authored and
pks-t
committed
submodule: ignore path and url attributes if they look like options
These can be used to inject options in an implementation which performs a recursive clone by executing an external command via crafted url and path attributes such that it triggers a local executable to be run. The library is not vulnerable as we do not rely on external executables but a user of the library might be relying on that so we add this protection. This matches this aspect of git's fix for CVE-2018-17456.
1 parent 4e0bdaa commit c8ca3ca

File tree

1 file changed

+23
-8
lines changed

1 file changed

+23
-8
lines changed

src/submodule.c

Lines changed: 23 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1865,6 +1865,14 @@ static int get_value(const char **out, git_config *cfg, git_buf *buf, const char
18651865
return error;
18661866
}
18671867

1868+
static bool looks_like_command_line_option(const char *s)
1869+
{
1870+
if (s && s[0] == '-')
1871+
return true;
1872+
1873+
return false;
1874+
}
1875+
18681876
static int submodule_read_config(git_submodule *sm, git_config *cfg)
18691877
{
18701878
git_buf key = GIT_BUF_INIT;
@@ -1878,24 +1886,31 @@ static int submodule_read_config(git_submodule *sm, git_config *cfg)
18781886

18791887
if ((error = get_value(&value, cfg, &key, sm->name, "path")) == 0) {
18801888
in_config = 1;
1889+
/* We would warn here if we had that API */
1890+
if (!looks_like_command_line_option(value)) {
18811891
/*
18821892
* TODO: if case insensitive filesystem, then the following strcmp
18831893
* should be strcasecmp
18841894
*/
1885-
if (strcmp(sm->name, value) != 0) {
1886-
if (sm->path != sm->name)
1887-
git__free(sm->path);
1888-
sm->path = git__strdup(value);
1889-
GITERR_CHECK_ALLOC(sm->path);
1895+
if (strcmp(sm->name, value) != 0) {
1896+
if (sm->path != sm->name)
1897+
git__free(sm->path);
1898+
sm->path = git__strdup(value);
1899+
GITERR_CHECK_ALLOC(sm->path);
1900+
}
1901+
18901902
}
18911903
} else if (error != GIT_ENOTFOUND) {
18921904
goto cleanup;
18931905
}
18941906

18951907
if ((error = get_value(&value, cfg, &key, sm->name, "url")) == 0) {
1896-
in_config = 1;
1897-
sm->url = git__strdup(value);
1898-
GITERR_CHECK_ALLOC(sm->url);
1908+
/* We would warn here if we had that API */
1909+
if (!looks_like_command_line_option(value)) {
1910+
in_config = 1;
1911+
sm->url = git__strdup(value);
1912+
GITERR_CHECK_ALLOC(sm->url);
1913+
}
18991914
} else if (error != GIT_ENOTFOUND) {
19001915
goto cleanup;
19011916
}

0 commit comments

Comments
 (0)