6d8684161e
We need to be careful to follow proper quoting rules. For example, if an argument contains spaces, we have to quote them. Double-quotes need to be escaped. Backslashes need to be escaped, but only if they are followed by a double-quote character. We need to be _extra_ careful to consider the case where an argument ends in a backslash _and_ needs to be quoted: in this case, we append a double-quote character, i.e. the backslash now has to be escaped! The current code, however, fails to recognize that, and therefore can turn an argument that ends in a single backslash into a quoted argument that now ends in an escaped double-quote character. This allows subsequent command-line parameters to be split and part of them being mistaken for command-line options, e.g. through a maliciously-crafted submodule URL during a recursive clone. Technically, we would not need to quote _all_ arguments which end in a backslash _unless_ the argument needs to be quoted anyway. For example, `test\` would not need to be quoted, while `test \` would need to be. To keep the code simple, however, and therefore easier to reason about and ensure its correctness, we now _always_ quote an argument that ends in a backslash. This addresses CVE-2019-1350. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
49 lines
1.4 KiB
Bash
Executable File
49 lines
1.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
test_description='check handling of .gitmodule url with dash'
|
|
. ./test-lib.sh
|
|
|
|
test_expect_success 'create submodule with protected dash in url' '
|
|
git init upstream &&
|
|
git -C upstream commit --allow-empty -m base &&
|
|
mv upstream ./-upstream &&
|
|
git submodule add ./-upstream sub &&
|
|
git add sub .gitmodules &&
|
|
git commit -m submodule
|
|
'
|
|
|
|
test_expect_success 'clone can recurse submodule' '
|
|
test_when_finished "rm -rf dst" &&
|
|
git clone --recurse-submodules . dst &&
|
|
echo base >expect &&
|
|
git -C dst/sub log -1 --format=%s >actual &&
|
|
test_cmp expect actual
|
|
'
|
|
|
|
test_expect_success 'remove ./ protection from .gitmodules url' '
|
|
perl -i -pe "s{\./}{}" .gitmodules &&
|
|
git commit -am "drop protection"
|
|
'
|
|
|
|
test_expect_success 'clone rejects unprotected dash' '
|
|
test_when_finished "rm -rf dst" &&
|
|
test_must_fail git clone --recurse-submodules . dst 2>err &&
|
|
test_i18ngrep ignoring err
|
|
'
|
|
|
|
test_expect_success 'trailing backslash is handled correctly' '
|
|
git init testmodule &&
|
|
test_commit -C testmodule c &&
|
|
git submodule add ./testmodule &&
|
|
: ensure that the name ends in a double backslash &&
|
|
sed -e "s|\\(submodule \"testmodule\\)\"|\\1\\\\\\\\\"|" \
|
|
-e "s|url = .*|url = \" --should-not-be-an-option\"|" \
|
|
<.gitmodules >.new &&
|
|
mv .new .gitmodules &&
|
|
git commit -am "Add testmodule" &&
|
|
test_must_fail git clone --verbose --recurse-submodules . dolly 2>err &&
|
|
test_i18ngrep ! "unknown option" err
|
|
'
|
|
|
|
test_done
|