You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This adds a test_it_executes_git_not_from_cwd case for shell=True.
(This case also gives the command as a string, so the test need not
be further special-cased for non-Windows systems, where argument
lists aren't accepted with shell=True.)
The test did not attempt to cover the shell=True case before,
because I had erroneously assumed it worked similarity. It is
actually very different, because when a shell is used, both the
shell and the command the shell runs must be found and executed,
and because the process creation GitPython performs is that of the
shell process, with the state of the shell process being what is
relevant to how the path search is done for the git (or other)
command.
The code change here does not itself demonstrate that the test is
broken for shell=True, because that case passes. However, manually
undoing the fix in cmd.py for CVE-2023-40590, which as expected
causes the preexisting (implicitly shell=False case) to fail, does
*not* cause the new shell=True case to fail. That case passes!
That passing result in the absence of a fix for CVE-2023-40590 is
erroneous, because the cmd.exe shell does search the CWD first when
nothing has been done to prevent it.
0 commit comments