Commit 176c9511 authored by Héctor Orón Martínez's avatar Héctor Orón Martínez

Merge branch 'fix-kiwitree-symlink' into 'debian/master'

fix-kiwitree-symlink.patch: cherry-pick bad code fix from upstream.

See merge request ruby-team/open-build-service!5
parents 63d6ca32 96d7f4ce
commit 3b73dab1a9e676e28334df10fac7c054418228a8
Author: Michael Schroeder <mls@suse.de>
Date: Fri Mar 17 10:49:14 2017 +0100
[backend] fix kiwitree symlink check
Bad code copied from the build package. Sigh.
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
--- a/src/backend/bs_repserver
+++ b/src/backend/bs_repserver
@@ -1743,7 +1743,7 @@ sub receivekiwitree {
} elsif ($type eq 'l') {
$extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
- if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
my ($head, $tail) = ($1, $2);
die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
......@@ -16,3 +16,4 @@ Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
fix-kiwitree-symlink.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment