Skip to content

Commit

Permalink
Merge pull request #894 from nim-lang/fixes-rce
Browse files Browse the repository at this point in the history
Fixes RCE reported by Consensys.
  • Loading branch information
Araq committed Feb 8, 2021
2 parents 5ac9984 + 89954f8 commit 7bd63d5
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/nimblepkg/download.nim
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ proc getTagsListRemote*(url: string, meth: DownloadMethod): seq[string] =
result = @[]
case meth
of DownloadMethod.git:
var (output, exitCode) = doCmdEx("git ls-remote --tags " & url)
var (output, exitCode) = doCmdEx("git ls-remote --tags " & url.quoteShell())
if exitCode != QuitSuccess:
raise newException(OSError, "Unable to query remote tags for " & url &
". Git returned: " & output)
Expand Down Expand Up @@ -136,9 +136,9 @@ proc getHeadName*(meth: DownloadMethod): Version =

proc checkUrlType*(url: string): DownloadMethod =
## Determines the download method based on the URL.
if doCmdEx("git ls-remote " & url).exitCode == QuitSuccess:
if doCmdEx("git ls-remote " & url.quoteShell()).exitCode == QuitSuccess:
return DownloadMethod.git
elif doCmdEx("hg identify " & url).exitCode == QuitSuccess:
elif doCmdEx("hg identify " & url.quoteShell()).exitCode == QuitSuccess:
return DownloadMethod.hg
else:
raise newException(NimbleError, "Unable to identify url: " & url)
Expand Down

0 comments on commit 7bd63d5

Please sign in to comment.