Merge branch 'ah/fix-open-with-stdin'

j6t · ttaylorr · commit 4e7e3b792e69 · 2025-05-23T17:04:30.000-04:00
This addresses CVE-2025-27614, Arbitrary command execution with Gitk:

A Git repository can be crafted in such a way that with some social
engineering a user who has cloned the repository can be tricked into
running any script (e.g., Bourne shell, Perl, Python, ...) supplied by
the attacker by invoking `gitk filename`, where `filename` has a
particular structure. The script is run with the privileges of the user.

Signed-off-by: Johannes Sixt &lt;j6t@kdbg.org&gt;
diff --git a/gitk-git/gitk b/gitk-git/gitk
@@ -353,16 +353,6 @@ proc parseviewrevs {view revs} {
     return $ret
 }
 
-# Escapes a list of filter paths to be passed to git log via stdin. Note that
-# paths must not be quoted.
-proc escape_filter_paths {paths} {
-	set escaped [list]
-	foreach path $paths {
-		lappend escaped [string map {\\ \\\\ "\ " "\\\ "} $path]
-	}
-	return $escaped
-}
-
 # Start off a git log process and arrange to read its output
 proc start_rev_list {view} {
     global startmsecs commitidx viewcomplete curview
@@ -424,8 +414,7 @@ proc start_rev_list {view} {
     if {[catch {
         set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
                         --parents --boundary $args --stdin \
-                        "<<[join [concat $revs "--" \
-                                [escape_filter_paths $files]] "\\n"]"] r]
+                        [list "<<[join [concat $revs "--" $files] "\n"]"]] r]
     } err]} {
         error_popup "[mc "Error executing git log:"] $err"
         return 0
@@ -578,9 +567,7 @@ proc updatecommits {} {
     if {[catch {
         set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
                         --parents --boundary $args --stdin \
-                        "<<[join [concat $revs "--" \
-                                [escape_filter_paths \
-                                        $vfilelimit($view)]] "\\n"]"] r]
+                        [list "<<[join [concat $revs "--" $vfilelimit($view)] "\n"]"]] r]
     } err]} {
         error_popup "[mc "Error executing git log:"] $err"
         return
@@ -10258,7 +10245,7 @@ proc getallcommits {} {
         if {$ids eq "--all"} {
             set cmd [concat $cmd "--all"]
         } else {
-            set cmd [concat $cmd --stdin "<<[join $ids "\\n"]"]
+            set cmd [concat $cmd --stdin [list "<<[join $ids "\n"]"]]
         }
         set fd [open $cmd r]
         fconfigure $fd -blocking 0
