Merge pull request #9827 from pradyunsg/fix-git-improper-tag-handling

sbidoul · web-flow · commit e46bdda97113 · 2021-04-24T11:45:13.000+02:00
Don't split git references on unicode separators
diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
@@ -0,0 +1,3 @@
+**SECURITY**: Stop splitting on unicode separators in git references,
+which could be maliciously used to install a different revision on the
+repository.
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
@@ -131,9 +131,15 @@ def get_revision_sha(cls, dest, rev):
             on_returncode='ignore',
         )
         refs = {}
-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
             try:
-                ref_sha, ref_name = line.split()
+                ref_sha, ref_name = line.split(" ", maxsplit=2)
             except ValueError:
                 # Include the offending line to simplify troubleshooting if
                 # this error ever occurs.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+SECURITY: Stop splitting on unicode separators in git references,`
	`2`	`+which could be maliciously used to install a different revision on the`
	`3`	`+repository.`