This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, Branch_5_3 has been updated
via afcfe76f5195af4566ff3a8280714383fcdb5a67 (commit)
from d8990bfbc5f9505b1f580bbd4be9016c617d0bf8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit afcfe76f5195af4566ff3a8280714383fcdb5a67
Author: Roland Mas <[email protected]>
Date: Tue May 26 22:12:40 2015 +0200
Prevent arbitrary command execution via clone URL parameter of the method
to create secondary Git repositories. Found by Ansgar Burchardt
<[email protected]>. This is CVE-2015-0850.
diff --git a/src/plugins/scmgit/common/GitPlugin.class.php
b/src/plugins/scmgit/common/GitPlugin.class.php
index 873468d..bb3113e 100644
--- a/src/plugins/scmgit/common/GitPlugin.class.php
+++ b/src/plugins/scmgit/common/GitPlugin.class.php
@@ -537,6 +537,10 @@ class GitPlugin extends SCMPlugin {
$repo_name = db_result($result,$i,'repo_name');
$description = db_result($result,$i,'description');
$clone_url = db_result($result,$i,'clone_url');
+ // Clone URLs need to be validated to prevent a potential
arbitrary command execution
+ if (!preg_match('|^[-a-zA-Z0-9:./_]+$|', $clone_url)) {
+ $clone_url = '';
+ }
$repodir = $root . '/' . $repo_name . '.git';
if (!is_file("$repodir/HEAD") &&
!is_dir("$repodir/objects") && !is_dir("$repodir/refs")) {
if ($clone_url != '') {
@@ -1075,8 +1079,9 @@ class GitPlugin extends SCMPlugin {
if ($url == '') {
// Start from empty
$clone = $url;
- } elseif (preg_match('|^git://|', $url) ||
preg_match('|^https?://|', $url)) {
- // External URLs: OK
+ } elseif ((preg_match('|^git://|', $url) ||
preg_match('|^https?://|', $url))
+ && preg_match('|^[-a-zA-Z0-9:./_]+$|', $url)) {
+ // External URLs: OK, but they need to be
validated to prevent a potential arbitrary command execution
$clone = $url;
} elseif ($url == $project->getUnixName()) {
$clone = $url;
-----------------------------------------------------------------------
Summary of changes:
src/plugins/scmgit/common/GitPlugin.class.php | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/plugins/scmgit/common/GitPlugin.class.php
b/src/plugins/scmgit/common/GitPlugin.class.php
index 873468d..bb3113e 100644
--- a/src/plugins/scmgit/common/GitPlugin.class.php
+++ b/src/plugins/scmgit/common/GitPlugin.class.php
@@ -537,6 +537,10 @@ class GitPlugin extends SCMPlugin {
$repo_name = db_result($result,$i,'repo_name');
$description = db_result($result,$i,'description');
$clone_url = db_result($result,$i,'clone_url');
+ // Clone URLs need to be validated to prevent a potential
arbitrary command execution
+ if (!preg_match('|^[-a-zA-Z0-9:./_]+$|', $clone_url)) {
+ $clone_url = '';
+ }
$repodir = $root . '/' . $repo_name . '.git';
if (!is_file("$repodir/HEAD") &&
!is_dir("$repodir/objects") && !is_dir("$repodir/refs")) {
if ($clone_url != '') {
@@ -1075,8 +1079,9 @@ class GitPlugin extends SCMPlugin {
if ($url == '') {
// Start from empty
$clone = $url;
- } elseif (preg_match('|^git://|', $url) ||
preg_match('|^https?://|', $url)) {
- // External URLs: OK
+ } elseif ((preg_match('|^git://|', $url) ||
preg_match('|^https?://|', $url))
+ && preg_match('|^[-a-zA-Z0-9:./_]+$|', $url)) {
+ // External URLs: OK, but they need to be
validated to prevent a potential arbitrary command execution
$clone = $url;
} elseif ($url == $project->getUnixName()) {
$clone = $url;
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
