kennethreitz/pipenv
1
0
Fork 0
mirror of https://github.com/kennethreitz/pipenv.git synced 2026-06-05 22:50:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

disallow abbreviated forms of full option names

Browse Source 
Previously, due to default behavior of ArgumentParser, global --index-url,
--extra-index-url, and --trusted-host options in requirements files could be
abbreviated (e.g. "--index" == "--index-url"). As a result, unexpected
behavior could occur during processing of a requirements file with these
shortened option names when using Pipenv, which could be exploited by a
malicious actor to surreptitiously insert pip options using non-obvious
abbreviations.

For example, adding a line with "--t example.com" to the
requirements file would cause Pipenv to treat example.com as trusted, even
when example.com presents an invalid TLS certificate.

This commit disables support for abbreviated options in the ArgumentParser,
to align Pipenv's behavior when parsing global options in a requirements
file with the behavior in pip, as expected.
This commit is contained in:
Milo Minderbinder
2022-01-05 19:42:25 -05:00
parent 3ab4763d4a
commit d535301e1f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pipenv/utils.py
+1 -1
View File
@@ -2053,7 +2053,7 @@ def parse_indexes(line, strict=False):
comment_re = re.compile(r"(?:^|\s+)#.*$")
line = comment_re.sub("", line)
parser = ArgumentParser("indexes")
parser = ArgumentParser("indexes", allow_abbrev=False)
parser.add_argument("-i", "--index-url", dest="index")
parser.add_argument("--extra-index-url", dest="extra_index")
parser.add_argument("--trusted-host", dest="trusted_host")