Tell `git revert` not to follow renames

Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
master
Simon McVittie 2016-12-19 13:48:56 +00:00
parent 7244b712c1
commit 9cada49ed6
2 changed files with 10 additions and 1 deletions

View File

@ -973,7 +973,9 @@ sub rcs_revert ($) {
ensure_committer(); ensure_committer();
if (run_or_non('git', 'revert', '--no-commit', $sha1)) { if (run_or_non('git', 'revert', '--strategy=recursive',
'--strategy-option=no-renames',
'--no-commit', $sha1)) {
return undef; return undef;
} }
else { else {

View File

@ -16,3 +16,10 @@ when reverting.
> vulnerabilities (such as authorization bypass) by private email to the > vulnerabilities (such as authorization bypass) by private email to the
> maintainers, so that they are not visible to the general public > maintainers, so that they are not visible to the general public
> until we have had a chance to fix the bug. --[[smcv]] > until we have had a chance to fix the bug. --[[smcv]]
> Fixed by using
> `git revert --strategy=recursive --strategy-option=no-renames`.
> I tried to do something more clever (doing the revert, and checking
> whether it made changes that aren't allowed) but couldn't get it to
> work in a reasonable time, so I'm going with the simpler fix.
> [[Fix committed|done]], a release will follow later today. --[[smcv]]