python · jupyterlab-gitCritical
jupyterlab-git 0.53.0: Case-sensitive path check bypass on case-insensitive filesystems
jupyterlab-git 0.53.0 uses fnmatch.fnmatchcase() in GitHandler.prepare() to enforce excluded_paths, which is case-sensitive on all platforms, allowing bypass on
What changed
jupyterlab-git 0.53.0 uses fnmatch.fnmatchcase() in GitHandler.prepare() to enforce excluded_paths, which is case-sensitive on all platforms, allowing bypass on case-insensitive filesystems.
Who it affects
Authenticated users of JupyterLab with jupyterlab-git installed on case-insensitive filesystems (macOS APFS, Windows NTFS) where administrators have configured excluded_paths.
What to do today
Upgrade jupyterlab-git to a patched version or apply the fix: replace fnmatch.fnmatchcase() with fnmatch.fnmatch() after lowercasing both path and excluded_path.
The trail
Collected→
Audited→
Written→
Published