Merge branch 'ah/fix-open-with-stdin' · ilyagr.bsky.social/gitk-test2@0c8be6f

Slightly older version of master from https://github.com/j6t/gitk

Merge branch 'ah/fix-open-with-stdin'

This addresses CVE-2025-27614, Arbitrary command execution with Gitk:

A Git repository can be crafted in such a way that with some social
engineering a user who has cloned the repository can be tricked into
running any script (e.g., Bourne shell, Perl, Python, ...) supplied by
the attacker by invoking `gitk filename`, where `filename` has a
particular structure. The script is run with the privileges of the user.

* ah/fix-open-with-stdin:
gitk: encode arguments correctly with "open"

Signed-off-by: Johannes Sixt <j6t@kdbg.org>

Johannes Sixt 8 months ago 0c8be6f0 bfb0fa70

+3 -16

1 changed file

expand all

gitk

+3 -16

gitk

··· 457 457 return $ret 458 458 } 459 459 460 - # Escapes a list of filter paths to be passed to git log via stdin. Note that 461 - # paths must not be quoted. 462 - proc escape_filter_paths {paths} { 463 - set escaped [list] 464 - foreach path $paths { 465 - lappend escaped [string map {\\ \\\\ "\ " "\\\ "} $path] 466 - } 467 - return $escaped 468 - } 469 - 470 460 # Start off a git log process and arrange to read its output 471 461 proc start_rev_list {view} { 472 462 global startmsecs commitidx viewcomplete curview ··· 528 518 if {[catch { 529 519 set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \ 530 520 --parents --boundary $args --stdin \ 531 - "<<[join [concat $revs "--" \ 532 - [escape_filter_paths $files]] "\\n"]"] r] 521 + [list "<<[join [concat $revs "--" $files] "\n"]"]] r] 533 522 } err]} { 534 523 error_popup "[mc "Error executing git log:"] $err" 535 524 return 0 ··· 682 671 if {[catch { 683 672 set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \ 684 673 --parents --boundary $args --stdin \ 685 - "<<[join [concat $revs "--" \ 686 - [escape_filter_paths \ 687 - $vfilelimit($view)]] "\\n"]"] r] 674 + [list "<<[join [concat $revs "--" $vfilelimit($view)] "\n"]"]] r] 688 675 } err]} { 689 676 error_popup "[mc "Error executing git log:"] $err" 690 677 return ··· 10376 10363 if {$ids eq "--all"} { 10377 10364 set cmd [concat $cmd "--all"] 10378 10365 } else { 10379 - set cmd [concat $cmd --stdin "<<[join $ids "\\n"]"] 10366 + set cmd [concat $cmd --stdin [list "<<[join $ids "\n"]"]] 10380 10367 } 10381 10368 set fd [open $cmd r] 10382 10369 fconfigure $fd -blocking 0