Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-40590 #1636

Merged
merged 3 commits into from Sep 1, 2023
Merged

Fix CVE-2023-40590 #1636

merged 3 commits into from Sep 1, 2023

Commits on Aug 30, 2023

  1. Fix CVE-2023-40590 

    This fixes the path search bug where the current directory is
included on Windows, by setting NoDefaultCurrentDirectoryInExePath
for the caller. (Setting for the callee env would not work.)

This sets it only on Windows, only for the duration of the Popen
call, and then automatically unsets it or restores its old value.

NoDefaultCurrentDirectoryInExePath is documented at:
https://learn.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-needcurrentdirectoryforexepathw

It automatically affects the behavior of subprocess.Popen on
Windows, due to the way Popen uses the Windows API. (In contrast,
it does not, at least currently on CPython, affect the behavior of
shutil.which. But shutil.which is not being used to find git.exe.)
    @EliahKagan
    EliahKagan committed Aug 30, 2023
    Configuration menu
    Copy the full SHA
    6029211 View commit details
    Browse the repository at this point in the history

  2. Add a unit test for CVE-2023-40590 

    This adds test_it_executes_git_not_from_cwd to verify that the
execute method does not use "git.exe" in the current directory on
Windows, nor "git" in the current directory on Unix-like systems,
when those files are executable.

It adds a _chdir helper context manager to support this, because
contextlib.chdir is only available on Python 3.11 and later.
    @EliahKagan
    EliahKagan committed Aug 30, 2023
    Configuration menu
    Copy the full SHA
    94e0fb0 View commit details
    Browse the repository at this point in the history

  3. Don't check form of version number 

    This changes the regex in test_it_executes_git_not_from_cwd so
that (unlike test_it_executes_git_to_shell_and_returns_result) it
only checks that the output starts with the words "git version",
and not the form of whatever follows those words.
    @EliahKagan
    EliahKagan committed Aug 30, 2023
    Configuration menu
    Copy the full SHA
    7611cd9 View commit details
    Browse the repository at this point in the history