github/pyenv
1
0
Fork 0
mirror of https://github.com/pyenv/pyenv.git synced 2024-11-14 20:39:55 -05:00
Code Issues Projects Releases Packages Wiki Activity

Disallow path segments and directory traversal in .ruby-version files

Browse source 
A malicious `.ruby-version` file in the current directory could inject
`../../../` into the version string and trigger execution of binaries
outside of `RBENV_ROOT/versions/`.

Fixes #977 OVE-20170303-0004
This commit is contained in:
Mislav Marohnić 2019-04-03 12:58:25 +02:00
parent a3fa9b73b8
commit 370c26a6c9
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libexec/rbenv-version-file-read
View file

@ -11,7 +11,9 @@ if [ -e "$VERSION_FILE" ]; then
words=( $(cut -b 1-1024 "$VERSION_FILE") ) words=( $(cut -b 1-1024 "$VERSION_FILE") )
version="${words[0]}" version="${words[0]}"
if [ -n "$version" ]; then if [ "$version" = ".." ] || [[ $version == */* ]]; then
echo "rbenv: invalid version in \`$VERSION_FILE'" >&2
elif [ -n "$version" ]; then
echo "$version" echo "$version"
exit exit
fi fi

16
test/version-file-read.bats
View file

@ -70,3 +70,19 @@ IN
run rbenv-version-file-read my-version run rbenv-version-file-read my-version
assert_success "1.9.3" assert_success "1.9.3"
} }
@test "prevents directory traversal" {
cat > my-version <<<".."
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
cat > my-version <<<"../foo"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}
@test "disallows path segments in version string" {
cat > my-version <<<"foo/bar"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}