CVE-2022-35861: Fixed relative path traversal due to using version string in path (#2412)

This commit is contained in:
James Stronz 2022-07-16 15:01:04 -07:00 committed by GitHub
parent 0eba0a5bd5
commit 22fa683571
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 3 deletions

View file

@ -11,7 +11,14 @@ if [ -s "$VERSION_FILE" ]; then
IFS="${IFS}"$'\r'
sep=
while read -n 1024 -r version _ || [[ $version ]]; do
[[ -z $version || $version == \#* ]] && continue
if [[ -z $version || $version == \#* ]]; then
# Skip empty lines and comments
continue
elif [ "$version" = ".." ] || [[ $version == */* ]]; then
# The version string is used to construct a path and we skip dubious values.
# This prevents issues such as path traversal (CVE-2022-35861).
continue
fi
printf "%s%s" "$sep" "$version"
sep=:
done <"$VERSION_FILE"

View file

@ -82,3 +82,15 @@ IN
run pyenv-version-file-read my-version
assert_success "3.9.3:3.8.9:2.7.16"
}
@test "skips relative path traversal" {
cat > my-version <<IN
3.9.3
3.8.9
..
./*
2.7.16
IN
run pyenv-version-file-read my-version
assert_success "3.9.3:3.8.9:2.7.16"
}