Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2022-35861: Fixed relative path traversal due to using version st…
…ring in path (#2412)
  • Loading branch information
comrumino committed Jul 16, 2022
1 parent 0eba0a5 commit 22fa683
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
13 changes: 10 additions & 3 deletions libexec/pyenv-version-file-read
Expand Up @@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
IFS="${IFS}"$'\r'
sep=
while read -n 1024 -r version _ || [[ $version ]]; do
[[ -z $version || $version == \#* ]] && continue
printf "%s%s" "$sep" "$version"
sep=:
if [[ -z $version || $version == \#* ]]; then
# Skip empty lines and comments
continue
elif [ "$version" = ".." ] || [[ $version == */* ]]; then
# The version string is used to construct a path and we skip dubious values.
# This prevents issues such as path traversal (CVE-2022-35861).
continue
fi
printf "%s%s" "$sep" "$version"
sep=:
done <"$VERSION_FILE"
[[ $sep ]] && { echo; exit; }
fi
Expand Down
12 changes: 12 additions & 0 deletions test/version-file-read.bats
Expand Up @@ -82,3 +82,15 @@ IN
run pyenv-version-file-read my-version
assert_success "3.9.3:3.8.9:2.7.16"
}

@test "skips relative path traversal" {
cat > my-version <<IN
3.9.3
3.8.9
..
./*
2.7.16
IN
run pyenv-version-file-read my-version
assert_success "3.9.3:3.8.9:2.7.16"
}

0 comments on commit 22fa683

Please sign in to comment.