Merge branch 'ah/fix-open-with-stdin'

j6t · j6t · commit 0c8be6f09043 · 2025-07-08T20:48:25.000+02:00
This addresses CVE-2025-27614, Arbitrary command execution with Gitk:

A Git repository can be crafted in such a way that with some social
engineering a user who has cloned the repository can be tricked into
running any script (e.g., Bourne shell, Perl, Python, ...) supplied by
the attacker by invoking `gitk filename`, where `filename` has a
particular structure. The script is run with the privileges of the user.

* ah/fix-open-with-stdin:
  gitk: encode arguments correctly with "open"

Signed-off-by: Johannes Sixt &lt;j6t@kdbg.org&gt;
diff --git a/gitk b/gitk
@@ -457,16 +457,6 @@ proc parseviewrevs {view revs} {
     return $ret
 }
 
-# Escapes a list of filter paths to be passed to git log via stdin. Note that
-# paths must not be quoted.
-proc escape_filter_paths {paths} {
-    set escaped [list]
-    foreach path $paths {
-        lappend escaped [string map {\\ \\\\ "\ " "\\\ "} $path]
-    }
-    return $escaped
-}
-
 # Start off a git log process and arrange to read its output
 proc start_rev_list {view} {
     global startmsecs commitidx viewcomplete curview
@@ -528,8 +518,7 @@ proc start_rev_list {view} {
     if {[catch {
         set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
                         --parents --boundary $args --stdin \
-                        "<<[join [concat $revs "--" \
-                                [escape_filter_paths $files]] "\\n"]"] r]
+                        [list "<<[join [concat $revs "--" $files] "\n"]"]] r]
     } err]} {
         error_popup "[mc "Error executing git log:"] $err"
         return 0
@@ -682,9 +671,7 @@ proc updatecommits {} {
     if {[catch {
         set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
                         --parents --boundary $args --stdin \
-                        "<<[join [concat $revs "--" \
-                                [escape_filter_paths \
-                                        $vfilelimit($view)]] "\\n"]"] r]
+                        [list "<<[join [concat $revs "--" $vfilelimit($view)] "\n"]"]] r]
     } err]} {
         error_popup "[mc "Error executing git log:"] $err"
         return
@@ -10376,7 +10363,7 @@ proc getallcommits {} {
         if {$ids eq "--all"} {
             set cmd [concat $cmd "--all"]
         } else {
-            set cmd [concat $cmd --stdin "<<[join $ids "\\n"]"]
+            set cmd [concat $cmd --stdin [list "<<[join $ids "\n"]"]]
         }
         set fd [open $cmd r]
         fconfigure $fd -blocking 0
