74d5f2397f
When Go runs a program with os.exec, it uses the LookPath function to look up the path name if the path does not contain a path separator. On Unix, this provides the standard Unix semantics by looking in PATH. However, on Windows, it also looks in the current directory as well to emulate the behavior of CMD. Unfortunately, this is a well-known security flaw on Windows and similar behavior there is the source for several whole classes of security vulnerabilities. This leads to an untrusted repository being able to create a git.bat file that gets executed in preference to our trusted path for the git binary. Since we don't want to rely on Go fixing this behavior, let's import some code from Go to provide the Unix semantics for LookPath, which are secure if the user hasn't put the current directory in PATH. That should provide secure behavior in this case. Fortunately, our code goes through one particular place to run all commands, so this is a relatively simple fix. Update the various copyright and license files to reflect our imported code.
16 lines
307 B
Go
16 lines
307 B
Go
// +build !windows
|
|
|
|
package subprocess
|
|
|
|
import (
|
|
"os/exec"
|
|
)
|
|
|
|
// ExecCommand is a small platform specific wrapper around os/exec.Command
|
|
func ExecCommand(name string, arg ...string) *Cmd {
|
|
cmd := exec.Command(name, arg...)
|
|
cmd.Path, _ = LookPath(name)
|
|
cmd.Env = fetchEnvironment()
|
|
return newCmd(cmd)
|
|
}
|