mirror of
https://github.com/pyenv/pyenv.git
synced 2024-12-04 22:08:17 -05:00
370c26a6c9
A malicious `.ruby-version` file in the current directory could inject `../../../` into the version string and trigger execution of binaries outside of `RBENV_ROOT/versions/`. Fixes #977 OVE-20170303-0004
22 lines
514 B
Bash
Executable file
22 lines
514 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# Usage: rbenv version-file-read <file>
|
|
set -e
|
|
[ -n "$RBENV_DEBUG" ] && set -x
|
|
|
|
VERSION_FILE="$1"
|
|
|
|
if [ -e "$VERSION_FILE" ]; then
|
|
# Read the first word from the specified version file. Avoid reading it whole.
|
|
IFS="${IFS}"$'\r'
|
|
words=( $(cut -b 1-1024 "$VERSION_FILE") )
|
|
version="${words[0]}"
|
|
|
|
if [ "$version" = ".." ] || [[ $version == */* ]]; then
|
|
echo "rbenv: invalid version in \`$VERSION_FILE'" >&2
|
|
elif [ -n "$version" ]; then
|
|
echo "$version"
|
|
exit
|
|
fi
|
|
fi
|
|
|
|
exit 1
|