Impact
dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, ), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch").
A malicious commit subject could therefore direct the generated patch file outside the requested outdir. Reduced examples:
- x/../../x produced /0001-x/../../x.patch, resolving
two directories above outdir.
- x....\x produced the equivalent escape on Windows, here \ is also a path separator.
Related issues from the same root cause:
- Subjects containing characters that are illegal in Windows filenames (e.g. :) caused format_patch to fail outright on Windows, where git would have succeeded.
- Very long subjects produced excessively long filenames that could exceed filesystem limits; git truncates them.
Anyone calling porcelain.format_patch (or the dulwich format-patch CLI) against untrusted commits - for example, a service that runs format-patch over user-supplied repositories or pull requests - could have patch files written to attacker-chosen locations within the process's write permissions.
Patches
Fixed in Dulwich 1.2.5. Users should upgrade.
dulwich.patch.get_summary now mirrors git's format_sanitized_subject: only [A-Za-z0-9._] are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so format_patch can no longer be steered out of outdir via the commit subject.
Workarounds
Until upgrading, callers that pass untrusted commits to porcelain.format_patch can:
- Use stdout=True and write the patch to a destination they control, rather than letting format_patch choose the filename.
- Validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir.
- Pre-screen commits and refuse to format any whose subject's first line contains /, , .., or other characters that are not safe on the target filesystem.
Resources
- Fix commit: jelmer/dulwich@c2446e51b
- Affected API: dulwich.porcelain.format_patch / dulwich format-patch
- Reference behavior: git's format_sanitized_subject in pretty.c
References
Impact
dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, ), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch").
A malicious commit subject could therefore direct the generated patch file outside the requested outdir. Reduced examples:
two directories above outdir.
Related issues from the same root cause:
Anyone calling porcelain.format_patch (or the dulwich format-patch CLI) against untrusted commits - for example, a service that runs format-patch over user-supplied repositories or pull requests - could have patch files written to attacker-chosen locations within the process's write permissions.
Patches
Fixed in Dulwich 1.2.5. Users should upgrade.
dulwich.patch.get_summary now mirrors git's format_sanitized_subject: only
[A-Za-z0-9._]are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so format_patch can no longer be steered out of outdir via the commit subject.Workarounds
Until upgrading, callers that pass untrusted commits to porcelain.format_patch can:
Resources
References