m/pyenv
1
0
Fork 0
mirror of https://github.com/pyenv/pyenv.git synced 2025-11-17 07:43:46 -05:00
Code Wiki Activity

Disallow path segments and directory traversal in .ruby-version files

Browse Source 
A malicious `.ruby-version` file in the current directory could inject
`../../../` into the version string and trigger execution of binaries
outside of `RBENV_ROOT/versions/`.

Fixes #977 OVE-20170303-0004
This commit is contained in:
Mislav Marohnić
2019-04-03 12:58:25 +02:00
parent a3fa9b73b8
commit 370c26a6c9
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
test/version-file-read.bats
View File

@@ -70,3 +70,19 @@ IN
run rbenv-version-file-read my-version
assert_success "1.9.3"
}
@test "prevents directory traversal" {
cat > my-version <<<".."
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
cat > my-version <<<"../foo"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}
@test "disallows path segments in version string" {
cat > my-version <<<"foo/bar"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}