generated code in gnulib.mk may use += to append to them.
* configure.ac: Add AM_PROG_AR, to placate newer automake.
+2011-02-01 Jim Meyering <meyering@redhat.com>
+ and Andreas Gruenbacher <agruen@linbit.com>
+
+ Do not let a malicious patch create files above current directory
+ This addresses CVE-2010-4651, reported by Jakub Wilk.
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
+ * src/util.c (strip_leading_slashes): Reject absolute file names and
+ file names containing a component of "..".
+ * tests/bad-filenames: New file. Test for this.
+ * tests/Makefile.am (TESTS): Add it.
+
2012-01-01 Jim Meyering <meyering@redhat.com>
maint: enable the sc_space_tab syntax-check rule
n = p+1;
}
}
+ if (IS_ABSOLUTE_FILE_NAME (n))
+ fatal ("rejecting absolute file name: %s", quotearg (n));
+ for (p = n; *p; )
+ {
+ if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+ fatal ("rejecting file name with \"..\" component: %s", quotearg (n));
+ while (*p && ! ISSLASH (*p))
+ p++;
+ while (ISSLASH (*p))
+ p++;
+ }
if ((strip_leading < 0 || s <= 0) && *n)
{
memmove (name, n, strlen (n) + 1);
projects / platform / upstream / patch.git / commitdiff