1 files changed, 18 insertions, 6 deletions

diff --git a/git/repo/base.py b/git/repo/base.py
index 28bb2a5d..1dfe9184 100644
--- a/git/repo/base.py
+++ b/git/repo/base.py
@@ -9,6 +9,7 @@ import logging
 import os
 import re
 import sys
+import warnings
 
 from git.cmd import (
     Git,
@@ -50,8 +51,11 @@ BlameEntry = namedtuple('BlameEntry', ['commit', 'linenos', 'orig_path', 'orig_l
 __all__ = ('Repo',)
 
 
-def _expand_path(p):
-    return osp.normpath(osp.abspath(osp.expandvars(osp.expanduser(p))))
+def _expand_path(p, unsafe=True):
+    if unsafe:
+        return osp.normpath(osp.abspath(osp.expandvars(osp.expanduser(p))))
+    else:
+        return osp.normpath(osp.abspath(osp.expanduser(p)))
 
 
 class Repo(object):
@@ -90,7 +94,7 @@ class Repo(object):
     # Subclasses may easily bring in their own custom types by placing a constructor or type here
     GitCommandWrapperType = Git
 
-    def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=False):
+    def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=False, unsafe=True):
         """Create a new Repo instance
 
         :param path:
@@ -121,7 +125,10 @@ class Repo(object):
             epath = os.getcwd()
         if Git.is_cygwin():
             epath = decygpath(epath)
-        epath = _expand_path(epath or path or os.getcwd())
+        if unsafe and ("%" in epath or "$" in epath):
+            warnings.warn("The use of environment variables in paths is deprecated"
+                        + "\nfor security reasons and may be removed in the future!!")
+        epath = _expand_path(epath or path or os.getcwd(), unsafe)
         if not os.path.exists(epath):
             raise NoSuchPathError(epath)
 
@@ -148,7 +155,7 @@ class Repo(object):
                 sm_gitpath = find_worktree_git_dir(dotgit)
 
             if sm_gitpath is not None:
-                self.git_dir = _expand_path(sm_gitpath)
+                self.git_dir = _expand_path(sm_gitpath, unsafe)
                 self._working_tree_dir = curpath
                 break
 
@@ -862,12 +869,17 @@ class Repo(object):
             the directory containing the database objects, i.e. .git/objects.
             It will be used to access all object data
 
+        :param unsafe:
+            if specified, environment variables will not be escaped. This
+            can lead to information disclosure, allowing attackers to
+            access the contents of environment variables
+
         :parm kwargs:
             keyword arguments serving as additional options to the git-init command
 
         :return: ``git.Repo`` (the newly created repo)"""
         if path:
-            path = _expand_path(path)
+            path = _expand_path(path, unsafe)
         if mkdir and path and not osp.exists(path):
             os.makedirs(path, 0o755)