Mercurial > kallithea

changeset 8503:a8a51a3bdb61 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
git: disallow odd characters in path of git:// URLs Mitigate https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf until the problem is fixed properly in Git. The checks might be more strict than necessary but should not have any impact on real world use cases. Thanks to stypr of Flatt Security for raising this.
author Mads Kiilerich <mads@kiilerich.com>
date Thu, 19 Nov 2020 21:33:11 +0100
parents 3ea3d3a2b3e3
children e7fd22ecf6f9
files kallithea/lib/vcs/backends/git/repository.py
diffstat 1 files changed, 12 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/vcs/backends/git/repository.py	Sun Nov 22 01:32:23 2020 +0100
+++ b/kallithea/lib/vcs/backends/git/repository.py	Thu Nov 19 21:33:11 2020 +0100
@@ -163,6 +163,18 @@
             return True
 
         if url.startswith('git://'):
+            try:
+                _git_colon, _empty, _host, path = url.split('/', 3)
+            except ValueError:
+                raise urllib.error.URLError("Invalid URL: %r" % url)
+            # Mitigate problems elsewhere with incorrect handling of encoded paths.
+            # Don't trust urllib.parse.unquote but be prepared for more flexible implementations elsewhere.
+            # Space is the only allowed whitespace character - directly or % encoded. No other % or \ is allowed.
+            for c in path.replace('%20', ' '):
+                if c in '%\\':
+                    raise urllib.error.URLError("Invalid escape character in path: '%s'" % c)
+                if c.isspace() and c != ' ':
+                    raise urllib.error.URLError("Invalid whitespace character in path: %r" % c)
             return True
 
         if not url.startswith('http://') and not url.startswith('https://'):