dulwich-1.2.9
Highlights of this release:
Security fixes
- Reject checkout paths whose leading component is a DOS drive-letter prefix on Windows (e.g.
C:), whichos.path.joinwould otherwise treat as absolute and let a crafted tree write outside the work tree. (reported by Luke Baton) - Bound zlib decompression of pack entries and loose objects against decompression-bomb DoS.
read_zlib_chunksnow caps the inflated size at the declareddecomp_len, and loose-object parsing acceptsmax_sizedefaulting to git'score.bigFileThreshold(512 MiB). (reported by Luke Bento) - Reject
OFS_DELTApack entries whosedelta_base_offsetis zero. Such an entry references itself, soPack.resolve_objectwould loop forever growing its delta stack until OOM. (reported by Luke Banto) - Bound
Transfer-Encoding: chunkedrequest bodies indulwich.web: strip chunk extensions, reject negative sizes, enforce per-chunk and per-request size limits, and cap requests that omitContent-Length. - Bound the running length when decoding EWAH bitmaps so a corrupt or malformed
.bitmapindex raisesValueErrorinstead of hanging in an unbounded loop that exhausts memory.
Other changes
- web: Reject smart HTTP
git-upload-pack/git-receive-packPOSTs whoseContent-Typeis not the exactapplication/x-<service>-requestvalue, matchinggit http-backend. dulwich.web: Warn at startup that runningpython3 -m dulwich.webis not intended as a production web server (no authentication, etc.).
See NEWS for the full list.