[Fusionforge-commits] FusionForge branch Branch_5_3 updated. afcfe76f5195af4566ff3a8280714383fcdb5a67

Roland Mas lolando at libremir.placard.fr.eu.org
Thu May 28 11:12:57 CEST 2015


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, Branch_5_3 has been updated
       via  afcfe76f5195af4566ff3a8280714383fcdb5a67 (commit)
      from  d8990bfbc5f9505b1f580bbd4be9016c617d0bf8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit afcfe76f5195af4566ff3a8280714383fcdb5a67
Author: Roland Mas <lolando at debian.org>
Date:   Tue May 26 22:12:40 2015 +0200

    Prevent arbitrary command execution via clone URL parameter of the method to create secondary Git repositories. Found by Ansgar Burchardt <ansgar at debian.org>. This is CVE-2015-0850.

diff --git a/src/plugins/scmgit/common/GitPlugin.class.php b/src/plugins/scmgit/common/GitPlugin.class.php
index 873468d..bb3113e 100644
--- a/src/plugins/scmgit/common/GitPlugin.class.php
+++ b/src/plugins/scmgit/common/GitPlugin.class.php
@@ -537,6 +537,10 @@ class GitPlugin extends SCMPlugin {
 			$repo_name = db_result($result,$i,'repo_name');
 			$description = db_result($result,$i,'description');
 			$clone_url = db_result($result,$i,'clone_url');
+            // Clone URLs need to be validated to prevent a potential arbitrary command execution
+            if (!preg_match('|^[-a-zA-Z0-9:./_]+$|', $clone_url)) {
+                    $clone_url = '';
+            }
 			$repodir = $root . '/' .  $repo_name . '.git';
 			if (!is_file("$repodir/HEAD") && !is_dir("$repodir/objects") && !is_dir("$repodir/refs")) {
 				if ($clone_url != '') {
@@ -1075,8 +1079,9 @@ class GitPlugin extends SCMPlugin {
 			if ($url == '') {
 				// Start from empty
 				$clone = $url;
-			} elseif (preg_match('|^git://|', $url) || preg_match('|^https?://|', $url)) {
-				// External URLs: OK
+			} elseif ((preg_match('|^git://|', $url) || preg_match('|^https?://|', $url))
+				&& preg_match('|^[-a-zA-Z0-9:./_]+$|', $url)) {
+				// External URLs: OK, but they need to be validated to prevent a potential arbitrary command execution
 				$clone = $url;
 			} elseif ($url == $project->getUnixName()) {
 				$clone = $url;

-----------------------------------------------------------------------

Summary of changes:
 src/plugins/scmgit/common/GitPlugin.class.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/plugins/scmgit/common/GitPlugin.class.php b/src/plugins/scmgit/common/GitPlugin.class.php
index 873468d..bb3113e 100644
--- a/src/plugins/scmgit/common/GitPlugin.class.php
+++ b/src/plugins/scmgit/common/GitPlugin.class.php
@@ -537,6 +537,10 @@ class GitPlugin extends SCMPlugin {
 			$repo_name = db_result($result,$i,'repo_name');
 			$description = db_result($result,$i,'description');
 			$clone_url = db_result($result,$i,'clone_url');
+            // Clone URLs need to be validated to prevent a potential arbitrary command execution
+            if (!preg_match('|^[-a-zA-Z0-9:./_]+$|', $clone_url)) {
+                    $clone_url = '';
+            }
 			$repodir = $root . '/' .  $repo_name . '.git';
 			if (!is_file("$repodir/HEAD") && !is_dir("$repodir/objects") && !is_dir("$repodir/refs")) {
 				if ($clone_url != '') {
@@ -1075,8 +1079,9 @@ class GitPlugin extends SCMPlugin {
 			if ($url == '') {
 				// Start from empty
 				$clone = $url;
-			} elseif (preg_match('|^git://|', $url) || preg_match('|^https?://|', $url)) {
-				// External URLs: OK
+			} elseif ((preg_match('|^git://|', $url) || preg_match('|^https?://|', $url))
+				&& preg_match('|^[-a-zA-Z0-9:./_]+$|', $url)) {
+				// External URLs: OK, but they need to be validated to prevent a potential arbitrary command execution
 				$clone = $url;
 			} elseif ($url == $project->getUnixName()) {
 				$clone = $url;


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list