Overview

File php-composer2-CVE-2022-24828.patch of Package php-composer2.32589

diff -upr src/Composer/Repository/Vcs/GitDriver.php SRC.new/src/Composer/Repository/Vcs/GitDriver.php
--- a/src/Composer/Repository/Vcs/GitDriver.php	2022-08-24 12:22:50.919762392 +0200
+++ b/src/Composer/Repository/Vcs/GitDriver.php	2022-08-24 12:21:49.367380404 +0200
@@ -138,6 +138,9 @@ return null;
 
 public function getFileContent($file, $identifier)
 {
+if (isset($identifier[0]) && $identifier[0] === '-') {
+throw new \RuntimeException('Invalid git identifier detected. Identifier must not start with a -, given: ' . $identifier);
+}
 $resource = sprintf('%s:%s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
 $this->process->execute(sprintf('git show %s', $resource), $content, $this->repoDir);
 
@@ -191,7 +194,7 @@ $branches = array();
 $this->process->execute('git branch --no-color --no-abbrev -v', $output, $this->repoDir);
 foreach ($this->process->splitLines($output) as $branch) {
 if ($branch && !Preg::isMatch('{^ *[^/]+/HEAD }', $branch)) {
-if (Preg::isMatch('{^(?:\* )? *(\S+) *([a-f0-9]+)(?: .*)?$}', $branch, $match)) {
+if (Preg::isMatch('{^(?:\* )? *(\S+) *([a-f0-9]+)(?: .*)?$}', $branch, $match) && $match[1][0] !== '-') {
 $branches[$match[1]] = $match[2];
 }
 }
diff -upr src/Composer/Repository/Vcs/HgDriver.php SRC.new/src/Composer/Repository/Vcs/HgDriver.php
--- a/src/Composer/Repository/Vcs/HgDriver.php	2022-08-24 12:22:50.919762392 +0200
+++ b/src/Composer/Repository/Vcs/HgDriver.php	2022-08-24 12:18:45.834241440 +0200
@@ -126,6 +126,9 @@ return null;
 
 public function getFileContent($file, $identifier)
 {
+if (isset($identifier[0]) && $identifier[0] === '-') {
+        throw new \RuntimeException('Invalid git identifier detected. Identifier must not start with a -, given: ' . $identifier);
+}
 $resource = sprintf('hg cat -r %s %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
 $this->process->execute($resource, $content, $this->repoDir);
 
@@ -186,14 +189,14 @@ $bookmarks = array();
 
 $this->process->execute('hg branches', $output, $this->repoDir);
 foreach ($this->process->splitLines($output) as $branch) {
-if ($branch && Preg::isMatch('(^([^\s]+)\s+\d+:([a-f0-9]+))', $branch, $match)) {
+if ($branch && Preg::isMatch('(^([^\s]+)\s+\d+:([a-f0-9]+))', $branch, $match) && $match[1][0] !== '-') {
 $branches[$match[1]] = $match[2];
 }
 }
 
 $this->process->execute('hg bookmarks', $output, $this->repoDir);
 foreach ($this->process->splitLines($output) as $branch) {
-if ($branch && Preg::isMatch('(^(?:[\s*]*)([^\s]+)\s+\d+:(.*)$)', $branch, $match)) {
+if ($branch && Preg::isMatch('(^(?:[\s*]*)([^\s]+)\s+\d+:(.*)$)', $branch, $match) && $match[1][0] !== '-') {
 $bookmarks[$match[1]] = $match[2];
 }
 }
openSUSE Build Service is sponsored by
Places