From 25c1b92b1add0b81afe2fc6f9e82f66738a2d800 Mon Sep 17 00:00:00 2001
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Date: Thu, 22 Jul 2021 09:57:53 -0400
Subject: [PATCH] Don't split git references on unicode separators

Upstream-Status: Backport 
(https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b)

CVE: CVE-2021-3572

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 src/pip/_internal/vcs/git.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
index 7483303a9..d706064e7 100644
--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
@@ -137,9 +137,15 @@ class Git(VersionControl):
         output = cls.run_command(['show-ref', rev], cwd=dest,
                                  show_stdout=False, on_returncode='ignore')
         refs = {}
-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
             try:
-                sha, ref = line.split()
+                sha, ref = line.split(" ", maxsplit=2)
             except ValueError:
                 # Include the offending line to simplify troubleshooting if
                 # this error ever occurs.
-- 
2.31.1