github jelmer/dulwich dulwich-1.2.7
on GitHub

7 hours ago

Security

  • Don't expand config include directives when parsing .gitmodules, so a crafted .gitmodules in a cloned repository can no longer make clone --recurse-submodules read arbitrary files.
  • Validate ref names before resolving them to a path, so a client-supplied name like ../../secret can no longer read a file outside the ref store. Closes a traversal via git-upload-archive's argument and other lookup paths. (#2212)
  • Reject pack names containing path separators in the dumb HTTP transport, so a malicious server can no longer escape the temporary directory. (#2213)
  • Verify that an object retrieved by id actually hashes to the requested id, raising ChecksumMismatch otherwise. (#2223)

New features

  • Add porcelain.request_pull and a dulwich request-pull command, like git request-pull. (#1823)
  • Add porcelain.range_diff and a dulwich range-diff command, like git range-diff (requires the dulwich[range_diff] extra). (#1828)

Fixes

  • Check out files whose names contain a colon or backslash on NTFS, instead of silently dropping them on clone, and abort the checkout on a genuinely invalid path. (#2205)
  • Fix apply_patch writing index entries with mode 0, which made native git abort. (#2218)
  • Fix deepening of a local shallow fetch not transferring newly-uncovered commits.
  • Several gc/repack fixes on Windows (read-only pack files, leaked temporary packs, files-in-use).
  • Discover and serve packs with non-pack- names such as loose-<hash> (written by git maintenance). (#2229)

See NEWS for the full changelog.

Check out latest releases or
releases around jelmer/dulwich dulwich-1.2.7

Don't miss a new dulwich release

NewReleases is sending notifications on new releases.

Get notifications