From d135e45152a88b896b1d3e8770d5d59f694c2419 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 8 Jun 2021 10:08:49 +0200 Subject: [PATCH] CVE-2021-3572 --- src/pip/_internal/vcs/git.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py index a9c7fb6..b38625e 100644 --- a/src/pip/_internal/vcs/git.py +++ b/src/pip/_internal/vcs/git.py @@ -142,9 +142,15 @@ class Git(VersionControl): pass refs = {} - for line in output.strip().splitlines(): + # NOTE: We do not use splitlines here since that would split on other + # unicode separators, which can be maliciously used to install a + # different revision. + for line in output.strip().split("\n"): + line = line.rstrip("\r") + if not line: + continue try: - sha, ref = line.split() + sha, ref = line.split(" ", maxsplit=2) except ValueError: # Include the offending line to simplify troubleshooting if # this error ever occurs. -- 2.31.1