From b96507ee3bc891becd9078ec7556daa29f2cf513 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 19 Dec 2016 13:48:56 +0000 Subject: [PATCH] Tell `git revert` not to follow renames (CVE-2016-10026) Otherwise, we have an authorization bypass vulnerability: rcs_preprevert looks at what changed in the commit we are reverting, not at what would result from reverting it now. In particular, if some files were renamed since the commit we are reverting, a revert of changes that were within the designated subdirectory and allowed by check_canchange() might now affect files that are outside the designated subdirectory or disallowed by check_canchange(). Signed-off-by: Simon McVittie --- IkiWiki/Plugin/git.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/git.pm b/IkiWiki/Plugin/git.pm index 75b89e476..641e397eb 100644 --- a/IkiWiki/Plugin/git.pm +++ b/IkiWiki/Plugin/git.pm @@ -944,7 +944,9 @@ sub rcs_revert ($) { my $rev = shift; my ($sha1) = $rev =~ /^($sha1_pattern)$/; # untaint - if (run_or_non('git', 'revert', '--no-commit', $sha1)) { + if (run_or_non('git', 'revert', '--strategy=recursive', + '--strategy-option=no-renames', + '--no-commit', $sha1)) { return undef; } else { -- 2.39.5