github jelmer/dulwich dulwich-1.2.9

latest release: dulwich-1.2.10
5 hours ago

Highlights of this release:

Security fixes

  • Reject checkout paths whose leading component is a DOS drive-letter prefix on Windows (e.g. C:), which os.path.join would otherwise treat as absolute and let a crafted tree write outside the work tree. (reported by Luke Baton)
  • Bound zlib decompression of pack entries and loose objects against decompression-bomb DoS. read_zlib_chunks now caps the inflated size at the declared decomp_len, and loose-object parsing accepts max_size defaulting to git's core.bigFileThreshold (512 MiB). (reported by Luke Bento)
  • Reject OFS_DELTA pack entries whose delta_base_offset is zero. Such an entry references itself, so Pack.resolve_object would loop forever growing its delta stack until OOM. (reported by Luke Banto)
  • Bound Transfer-Encoding: chunked request bodies in dulwich.web: strip chunk extensions, reject negative sizes, enforce per-chunk and per-request size limits, and cap requests that omit Content-Length.
  • Bound the running length when decoding EWAH bitmaps so a corrupt or malformed .bitmap index raises ValueError instead of hanging in an unbounded loop that exhausts memory.

Other changes

  • web: Reject smart HTTP git-upload-pack / git-receive-pack POSTs whose Content-Type is not the exact application/x-<service>-request value, matching git http-backend.
  • dulwich.web: Warn at startup that running python3 -m dulwich.web is not intended as a production web server (no authentication, etc.).

See NEWS for the full list.

Don't miss a new dulwich release

NewReleases is sending notifications on new releases.