blob: ef66a590219d32b78840d4d8add687c7e06655a1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001
From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
Date: Sun, 1 Oct 2023 14:10:25 +0100
Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
This ensures that the resulting revision can not be misinterpreted as an
option.
Upstream-Status: Backport
[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4]
CVE: CVE-2023-5752
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
---
src/pip/_internal/vcs/mercurial.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
index 2a005e0..e440c12 100644
--- a/src/pip/_internal/vcs/mercurial.py
+++ b/src/pip/_internal/vcs/mercurial.py
@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
@staticmethod
def get_base_rev_args(rev: str) -> List[str]:
- return [rev]
+ return [f"-r={rev}"]
def fetch_new(
self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
--
2.25.1
|
