git@vger.kernel.org mailing list mirror (one of many)
 help / Atom feed
From: Javantea <jvoss@altsci.com>
To: git@vger.kernel.org
Subject: Gitview Shell Injection Vulnerability
Date: Tue, 27 Dec 2016 08:29:22 -0000
Message-ID: <20161227082922.8B7A813893D@mail.altsci.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1570 bytes --]

I have found a shell injection vulnerability in contrib/gitview/gitview.

Gitview Shell Injection Vulnerability

Versions affected: 8cb711c8a5-1d1bdafd64 (<=2.11.0)

Gitview executes shell commands using string concatenation with user supplied data, filenames and branch names. Running Gitview and interacting with the user interface with a malicious filename or branch name in the current repository results in malicious commands being executed as the current user.

AnnotateWindow.add_file_data(self, filename, commit_sha1, line_num):
    fp = os.popen("git cat-file blob " + commit_sha1 +":"+filename)

AnnotateWindow.annotate(self, filename, commit_sha1, line_num):
    fp = os.popen("git ls-tree "+ commit_sha1 + " -- " + filename)
    fp = os.popen("git blame --incremental -C -C -- " + filename + " " + commit_sha1)

GitView.set_branch(self, args):
    fp = os.popen("git rev-parse --sq --default HEAD " + list_to_string(args, 1))
    fp = os.popen("git rev-list  --header --topo-order --parents " + git_rev_list_cmd)

The program also has other uses of os.popen but none use values that the user can manipulate. However, the fix should definitely replace these instances so that the code might one day pass pylint and manual code review easier.

The function os.popen has been replaced by safer functions in the subprocess module. The code can be improved easily because it requires very little change to convert the code to work with arrays of strings instead of strings.

If you have any questions or would like a patch, please let me know.

Regards,
Javantea

             reply index

Thread overview: 8+ messages in thread (expand / mbox.gz / Atom feed / [top])
2016-12-27  8:29 Javantea [this message]
2016-12-27 18:45 ` Stefan Beller
2016-12-28  6:42   ` Jeff King
2016-12-28 17:28     ` [PATCH] contrib: remove gitview Stefan Beller
2016-12-29  1:59       ` Jeff King
2017-01-01  0:55         ` Junio C Hamano
2017-01-02  6:46         ` Aneesh Kumar K.V
2016-12-28 19:28     ` Javantea

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply to all the recipients using the --to, --cc,
  and --in-reply-to switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161227082922.8B7A813893D@mail.altsci.com \
    --to=jvoss@altsci.com \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org mailing list mirror (one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/
       or Tor2web: https://www.tor2web.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox