2019-04-23 10:23:33 -04:00
|
|
|
#!/usr/bin/env bash
|
2013-01-18 03:41:41 -05:00
|
|
|
# Usage: pyenv version-file-read <file>
|
2012-08-31 02:23:41 -04:00
|
|
|
set -e
|
|
|
|
|
[ -n "$PYENV_DEBUG" ] && set -x
|
|
|
|
|
|
|
|
|
|
VERSION_FILE="$1"
|
|
|
|
|
|
2022-09-03 15:37:53 -04:00
|
|
|
function is_version_safe() {
|
|
|
|
|
# As needed, check that the constructed path exists as a child path of PYENV_ROOT/versions
|
|
|
|
|
version="$1"
|
|
|
|
|
if [[ "$version" == ".." || "$version" == */* ]]; then
|
|
|
|
|
# Sanity check the value of version to prevent malicious path-traversal
|
|
|
|
|
(
|
|
|
|
|
cd "$PYENV_ROOT/versions/$version" &>/dev/null || exit 1
|
|
|
|
|
[[ "$PWD" == "$PYENV_ROOT/versions/"* ]]
|
|
|
|
|
)
|
|
|
|
|
return $?
|
|
|
|
|
else
|
|
|
|
|
return 0
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-06 12:51:51 -04:00
|
|
|
if [ -s "$VERSION_FILE" ]; then
|
2013-01-18 04:57:08 -05:00
|
|
|
# Read the first non-whitespace word from the specified version file.
|
|
|
|
|
# Be careful not to load it whole in case there's something crazy in it.
|
2022-09-03 15:37:53 -04:00
|
|
|
IFS="$IFS"$'\r'
|
2022-05-06 12:51:51 -04:00
|
|
|
sep=
|
|
|
|
|
while read -n 1024 -r version _ || [[ $version ]]; do
|
2022-09-03 15:37:53 -04:00
|
|
|
if [[ -z "$version" || "$version" == \#* ]]; then
|
2022-07-16 18:01:04 -04:00
|
|
|
# Skip empty lines and comments
|
|
|
|
|
continue
|
2022-09-03 15:37:53 -04:00
|
|
|
elif ! is_version_safe "$version"; then
|
|
|
|
|
# CVE-2022-35861 allowed arbitrary code execution in some contexts and is mitigated by is_version_safe.
|
|
|
|
|
echo "pyenv: invalid version \`$version' ignored in \`$VERSION_FILE'" >&2
|
2022-07-16 18:01:04 -04:00
|
|
|
continue
|
|
|
|
|
fi
|
|
|
|
|
printf "%s%s" "$sep" "$version"
|
|
|
|
|
sep=:
|
2022-05-06 12:51:51 -04:00
|
|
|
done <"$VERSION_FILE"
|
|
|
|
|
[[ $sep ]] && { echo; exit; }
|
2012-08-31 02:23:41 -04:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
exit 1
|
