Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gitutils: add validation for ref (CVE-2019-13139) #38944

Merged
merged 1 commit into from
Mar 27, 2019
Merged

gitutils: add validation for ref (CVE-2019-13139) #38944

merged 1 commit into from
Mar 27, 2019

Conversation

andrewhsu
Copy link
Member

@andrewhsu andrewhsu commented Mar 26, 2019
edited

From a fix that @tonistiigi created, this PR adds validation for git ref so it can't be misinterpreted as a flag. fetch -- is a cleaner option but as it is theoretically possible to also hit it in checkout there's a custom validation as well.

Thanks to @staaldraad for pointing this issue out originally.

cc @justincormack

@tonistiigi @andrewhsu
gitutils: add validation for ref
a588898 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
thaJeztah
thaJeztah approved these changes Mar 26, 2019
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This was referenced Mar 26, 2019
Merged
Closed
@codecov
Copy link

codecov bot commented Mar 27, 2019

Codecov Report

❗ No coverage uploaded for pull request base (master@639880e). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #38944   +/-   ##
=========================================
  Coverage          ?    36.9%           
=========================================
  Files             ?      614           
  Lines             ?    45404           
  Branches          ?        0           
=========================================
  Hits              ?    16757           
  Misses            ?    26357           
  Partials          ?     2290

@thaJeztah thaJeztah merged commit be7ac8b into moby:master Mar 27, 2019
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Mar 27, 2019
@thaJeztah
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
010c234 
relevant changes;

- moby/moby#38006 / docker-archive/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker-archive/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker-archive/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker-archive/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this pull request Mar 27, 2019
Merged
@andrewhsu andrewhsu deleted the gitutils branch March 27, 2019 16:01
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Mar 27, 2019
@thaJeztah
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
b3b20ef 
relevant changes;

- moby/moby#38006 / docker-archive/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker-archive/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker-archive/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker-archive/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 010c234a0d5a03d450ebec60be37dd9f279feeca
Component: cli
@thaJeztah thaJeztah changed the title gitutils: add validation for ref gitutils: add validation for ref (CVE-2019-13139) Jul 15, 2019
@staaldraad
Copy link

For reference

I requested a CVE and CVE-2019-13139 has been reserved for this issue.

@thaJeztah
Copy link
Member

@staaldraad thanks! I got notified of the CVE, so updated the titles of all the related PR's to include it 👍

We should probably update the release notes as well; https://github.com/docker/docker.github.io/blob/master/engine/release-notes.md#18094

Let me know if you're interested in opening a pull request in that repository, or if you want me to do so

@staaldraad staaldraad mentioned this pull request Jul 15, 2019
Merged
@staaldraad
Copy link

Thanks @thaJeztah 🎉

I've opened a PR -- wanted to tag you in as reviewer but it seems like labels and reviewers aren't available to non-project members

This was referenced Aug 30, 2019
Merged
Merged
@DavidGarciaCat DavidGarciaCat mentioned this pull request Aug 28, 2023
Open
@tatianab tatianab mentioned this pull request Nov 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justincormack justincormack justincormack approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi tonistiigi is a code owner

Assignees
No one assigned
Labels
area/builder status/4-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@andrewhsu @staaldraad @thaJeztah @justincormack @GordonTheTurtle @tonistiigi