Fix CVE-2023-40590 by EliahKagan · Pull Request #1636 · gitpython-developers/GitPython (original) (raw)

Fixes #1635

This fixes the path search bug where the current directory is included on Windows, by setting NoDefaultCurrentDirectoryInExePath for the caller. (Setting for the callee env would not work.)

This sets it only on Windows, only for the duration of the Popen call, and then automatically unsets it or restores its old value.

NoDefaultCurrentDirectoryInExePath is documented in NeedCurrentDirectoryForExePathW function (processenv.h). See also this SO post by Mofi.

It automatically affects the behavior of subprocess.Popen on Windows, due to the way Popen uses the Windows API. (In contrast, it does not, at least currently on CPython, affect the behavior of shutil.which. But shutil.which is not being used to find git.exe. [Edit: To avoid misleading people who find this by searching, I should mention that, starting in Python 3.12, shutil.which now checks this as well.])

I have tested this by naming a hello world program git.exe and placing it in the current directory, verifying that import git produces an expected error (my hello world program does not provide Git operations), then applying this change and verifying that import git works as it should.