Mercurial > kallithea
changeset 8503:a8a51a3bdb61 stable
git: disallow odd characters in path of git:// URLs
Mitigate https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf
until the problem is fixed properly in Git.
The checks might be more strict than necessary but should not have any impact
on real world use cases.
Thanks to stypr of Flatt Security for raising this.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Thu, 19 Nov 2020 21:33:11 +0100 |
parents | 3ea3d3a2b3e3 |
children | e7fd22ecf6f9 |
files | kallithea/lib/vcs/backends/git/repository.py |
diffstat | 1 files changed, 12 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/vcs/backends/git/repository.py Sun Nov 22 01:32:23 2020 +0100 +++ b/kallithea/lib/vcs/backends/git/repository.py Thu Nov 19 21:33:11 2020 +0100 @@ -163,6 +163,18 @@ return True if url.startswith('git://'): + try: + _git_colon, _empty, _host, path = url.split('/', 3) + except ValueError: + raise urllib.error.URLError("Invalid URL: %r" % url) + # Mitigate problems elsewhere with incorrect handling of encoded paths. + # Don't trust urllib.parse.unquote but be prepared for more flexible implementations elsewhere. + # Space is the only allowed whitespace character - directly or % encoded. No other % or \ is allowed. + for c in path.replace('%20', ' '): + if c in '%\\': + raise urllib.error.URLError("Invalid escape character in path: '%s'" % c) + if c.isspace() and c != ' ': + raise urllib.error.URLError("Invalid whitespace character in path: %r" % c) return True if not url.startswith('http://') and not url.startswith('https://'):