projects / platform / upstream / patch.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 93adb4a) | patch
[CVE-2010-4651] Do not let a malicious patch create files above current directory
authorJinWang An <jinwang.an@samsung.com>
Tue, 23 Feb 2021 12:17:49 +0000 (21:17 +0900)
committerJinWang An <jinwang.an@samsung.com>
Wed, 17 Mar 2021 04:20:29 +0000 (13:20 +0900)
commit1c2e21155cc6f5b4605c9f3d8a5eca0c1f2f16ff
tree29bdf7d7c59bf4ba516f1e6eea302d420674ee96tree | snapshot
parent93adb4ad8dfd444c616d0aa910a6b2fef2cd24ddcommit | diff
[CVE-2010-4651] Do not let a malicious patch create files above current directory

This addresses CVE-2010-4651, reported by Jakub Wilk.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
* src/util.c (strip_leading_slashes): Reject absolute file names
and file names containing a component of "..".
* tests/bad-filenames: New file.  Test for this.
* tests/Makefile.am (TESTS): Add it.
Improvements by Andreas Gruenbacher.

Change-Id: I2f85671214a71c84461b1b2c805c7f48f3b3f922
Signed-off-by: JinWang An <jinwang.an@samsung.com>
ChangeLog diff | blob | history
src/util.c diff | blob | history
Domain: System / Base;