Sophie

Sophie

distrib > Mageia > 6 > armv7hl > media > core-updates-src > by-pkgid > 35b7dda79dda38f279db60528ca61d76 > files > 1

python-dulwich-0.12.0-1.2.mga6.src.rpm

diff -ru dulwich-0.12.0.orig/NEWS dulwich-0.12.0/NEWS
--- dulwich-0.12.0.orig/NEWS	2015-12-13 15:31:07.000000000 +0000
+++ dulwich-0.12.0/NEWS	2018-10-27 01:02:17.081393785 +0000
@@ -1,3 +1,8 @@
+0.12.0-1.1 mga
+  * Prevent setting SSH arguments from SSH URLs when using SSH through a
+    subprocess. Note that Dulwich doesn't support cloning submodules.
+    (CVE 2017-1000117) (Jelmer Vernooij)
+
 0.12.0	2015-12-13
 
  IMPROVEMENTS
diff -ru dulwich-0.12.0.orig/dulwich/client.py dulwich-0.12.0/dulwich/client.py
--- dulwich-0.12.0.orig/dulwich/client.py	2018-10-27 01:00:29.862986093 +0000
+++ dulwich-0.12.0/dulwich/client.py	2018-10-27 01:03:26.270350253 +0000
@@ -866,6 +866,13 @@
         raise NotImplementedError(self.run_command)
 
 
+class StrangeHostname(Exception):
+    """Refusing to connect to strange SSH hostname."""
+
+    def __init__(self, hostname):
+        super(StrangeHostname, self).__init__(hostname)
+
+
 class SubprocessSSHVendor(SSHVendor):
     """SSH vendor that shells out to the local 'ssh' command."""
 
@@ -876,6 +876,8 @@
             args.extend(['-p', str(port)])
         if username is not None:
             host = '%s@%s' % (username, host)
+        if host.startswith('-'):
+            raise StrangeHostname(hostname=host)
         args.append(host)
         proc = subprocess.Popen(args + [command],
                                 stdin=subprocess.PIPE,
diff -ru dulwich-0.12.0.orig/dulwich/tests/test_client.py dulwich-0.12.0/dulwich/tests/test_client.py
--- dulwich-0.12.0.orig/dulwich/tests/test_client.py	2015-12-13 15:31:07.000000000 +0000
+++ dulwich-0.12.0/dulwich/tests/test_client.py	2018-10-27 01:04:50.549081963 +0000
@@ -35,6 +35,8 @@
     HttpGitClient,
     ReportStatusParser,
     SendPackError,
+    StrangeHostname,
+    SubprocessSSHVendor,
     UpdateRefsError,
     get_transport_and_path,
     get_transport_and_path_from_url,
@@ -516,6 +518,12 @@
         setattr(Subprocess, 'can_read', lambda: None)
         return Subprocess()
 
+class SubprocessSSHVendorTests(TestCase):
+
+    def test_run_command_dashes(self):
+        vendor = SubprocessSSHVendor()
+        self.assertRaises(StrangeHostname, vendor.run_command, '--weird-host',
+                          'git-clone-url')
 
 class SSHGitClientTests(TestCase):

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional