mirror of
https://github.com/pyenv/pyenv.git
synced 2024-12-18 02:46:51 -05:00
47b0ce77c0
* Fixes #2430 while still preventing CVE-2022-35861 * Adds a skipped version message to stderr Co-authored-by: Ivan Pozdeev <vano@mail.mipt.ru>
43 lines
1.3 KiB
Bash
Executable file
43 lines
1.3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Usage: pyenv version-file-read <file>
|
|
set -e
|
|
[ -n "$PYENV_DEBUG" ] && set -x
|
|
|
|
VERSION_FILE="$1"
|
|
|
|
function is_version_safe() {
|
|
# As needed, check that the constructed path exists as a child path of PYENV_ROOT/versions
|
|
version="$1"
|
|
if [[ "$version" == ".." || "$version" == */* ]]; then
|
|
# Sanity check the value of version to prevent malicious path-traversal
|
|
(
|
|
cd "$PYENV_ROOT/versions/$version" &>/dev/null || exit 1
|
|
[[ "$PWD" == "$PYENV_ROOT/versions/"* ]]
|
|
)
|
|
return $?
|
|
else
|
|
return 0
|
|
fi
|
|
}
|
|
|
|
if [ -s "$VERSION_FILE" ]; then
|
|
# Read the first non-whitespace word from the specified version file.
|
|
# Be careful not to load it whole in case there's something crazy in it.
|
|
IFS="$IFS"$'\r'
|
|
sep=
|
|
while read -n 1024 -r version _ || [[ $version ]]; do
|
|
if [[ -z "$version" || "$version" == \#* ]]; then
|
|
# Skip empty lines and comments
|
|
continue
|
|
elif ! is_version_safe "$version"; then
|
|
# CVE-2022-35861 allowed arbitrary code execution in some contexts and is mitigated by is_version_safe.
|
|
echo "pyenv: invalid version \`$version' ignored in \`$VERSION_FILE'" >&2
|
|
continue
|
|
fi
|
|
printf "%s%s" "$sep" "$version"
|
|
sep=:
|
|
done <"$VERSION_FILE"
|
|
[[ $sep ]] && { echo; exit; }
|
|
fi
|
|
|
|
exit 1
|