Only check if input files are read-only when overwriting them; skip
that check when the output goes to a different file.
* src/patch.c (main): Set read_only_behavior to RO_IGNORE when an output
file has been specified.
* tests/read-only-files: Add test case.
* src/safe.c (safe_xstat): Reject empty pathnames.
* tests/bad-filenames: Add a new test.
* src/patch.c (main): Don't check if the input file is writable when
we're not going to modify it.
I have disovered a regression in commit abe92e8010ab ("Prefer idx_t,
ptrdiff_t to lin") while I was running MariaDB tests. The regression is
related to a diff file [1], where the patch fails to apply it with
following error:
patch: **** '---' expected at line 2 of patch
To illustrate the issue, I have attached a git patch containing a
testcase with simplified reproducer.
[1] https://github.com/MariaDB/server/blob/mariadb-10.6.21/mysql-test/suite/innodb/r/innodb-wl5522%2Cstrict_crc32.rdiff file
Also, check only the last file name component.
In other words, mimic operating systems that follow POSIX.1-2024’s
encouragement to fail with EILSEQ when openat etc. create a file name.
This is more conservative than the previous patch to prohibit
newlines in file names.
* src/patch.c (main, backup_file_name_option, get_some_switches):
* src/util.c (parse_c_string, make_tempfile):
Don’t check for newlines in a file name unless we are definitely
creating a file, as it’s harmless to read and stat file with
newlines in their names if the OS allows that.
* src/safe.c (traverse_another_path, traverse_path): New arg
REJECT_NL. If set, reject any file name whose last component
contains a newline. Also, do not do traversal if unsafe. All
callers changed to pass true if they are creating the file name,
false otherwise, and to not bother checking whether we are unsafe.
(safe_open): Special case for when O_CREAT is set but O_EXCL is not.
* src/util.c (pfatal): Report "Invalid byte sequence" for EILSEQ.
This POSIX wording is less confusing than glibc's "Invalid or
incomplete multibyte or wide character". Also, this lets
the test cases check for this wording.
* tests/bad-filenames: Adjust to new diagnostic wording.
Check for chmod, hardlink, symlink, and special character support to
prevent test suite failures in feature constrained environments.
Thanks to Bruno Haible and Nelson H. F. Beebe for their testing and
analysis.
* tests/test-lib.sh: Add new feature tests.
* tests/hardlinks: Split this hardlinks related test off from
tests/remember-backup-files.
* tests/Makefile.am (TESTS): Add new hardlinks test here.
* tests/file-create-modes, tests/file-modes, tests/read-only-files,
tests/preserve-mode-and-timestamp, tests/no-mode-change-git-diff: These
tests require chmod support.
* tests/hardlinks, tests/unmodified-files: These tests require hardlink
support.
* tests/symlinks: This test requires symlink support.
* tests/quoted-filenames: This test requires special character support
in filenames.
* src/pch.c (get_line, pget_line): New arg ALLOW_NUL.
It is true when getting data lines, which can contain NUL,
but false when getting ‘diff’ directives, which cannot.
All uses changed.
* tests/bad-filenames: Check that ‘patch’ rejects
directives containing NUL.
Problem reported by Jim Meyering: ‘diff’ acted like GNU diff,
and generated correct output, but the output differed slightly
from what the test wanted. As the output of ‘diff’ is not
completely determined from its input, it’s better to put
the desired ‘diff’ output directly in the test when the test
depends on the exact output.
* tests/preserve-c-function-names, tests/reject-format:
Do not require GNU diff or use ‘diff’.
Instead, cat the desired ‘diff’ output.
* src/util.c (remove_prefix): Remove; no longer used.
* src/pch.c (intuit_diff_type, scan_linenum, another_hunk):
Allow a nonempty sequence of blanks in places where POSIX requires
support for these sequences.
(another_hunk): Parse the "0,0" instead of comparing it literally,
since there can be blanks around the comma.
* tests/Makefile.am (TESTS): Add unusual-blanks.
* tests/unusual-blanks: New file.
This is encouraged by POSIX.1-2004.
* bootstrap.conf (gnulib_modules): Add mempcpy.
* src/patch.c (main, get_some_switches):
* src/util.c (parse_c_string):
Reject output file names containing newlines.
(backup_file_name_option): New function, to help with that.
(make_tempfile): Reject TMPDIR values containing newlines.
Do not silently screw up if TMPDIR length exceeds INT_MAX.
* tests/bad-filenames: Test for file names containing '\n'.
Switch to single intervals for FSF notices,
and consistently put them first.
Update copyright notices for 2024.
* cfg.mk (update-copyright-env): Use UPDATE_COPYRIGHT_FORCE=1,
UPDATE_COPYRIGHT_USE_INTERVALS=2.
* patch.man: Always use \(co, so that update-copyright
updates these dates.
* src/version.c: Correct Larry Wall copyright years.
eval is not some sort of magical sandbox for executing code that might cause
the shell's parser to take exception. Render the test resilient by carrying
it out within a subshell. While at it, position the redirection so that
STDERR is, in fact, muted.
Signed-off-by: Kerin Millar <kfm@plushkava.net>
Reported-by: Paolo Pedroni <paolo.pedroni@iol.it>
Closes: https://bugs.gentoo.org/738810
* tests/context-format: Add tests with a missing pattern and a missing
replacement section in a hunk. Patch should fill in the missing
sections from the existing sections.
The previous fix worked fine with single-file ed-style patches, but
would still leak temporary files in the case of multi-file ed-style
patch. Fix that case as well, and extend the test case to check for
it.
* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
the next file in a patch.
This closes bug #53820:
https://savannah.gnu.org/bugs/index.php?53820
Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
* src/pch.c (do_ed_script): Write ed script to a temporary file instead
of piping it to ed: this will cause ed to abort on invalid commands
instead of rejecting them and carrying on.
* tests/ed-style: New test case.
* tests/Makefile.am (TESTS): Add test case.
* tests/crlf-handling, tests/git-cleanup, tests/test-lib.sh: Use printf
instead of echo -e / echo -n for compatibility with systems that don't
support these echo options.
* tests/merge: Minor other cleanups.
* src/patch.c (main): Create git diff files with indicated mode.
* tests/file-create-modes: New test case.
* tests/Makefile.am (TESTS): Add test case.
This fixes building current Linux 4.14.x from the signed tarball and
patch file, where the patch creates a script with the executable bit
set.
When a git-syle patch is applied, all file modifications are done to
temporary files which are put in place when the patch ends. When a
patch fails, GNU patch was trying to "roll back" to the start. A bug in
that code that lead to accidental file deletion was recently discovered
by Richard Weinberger <richard@nod.at>. Even worse though, GNU patch
should not exhibit this "rollback" behavior in the first place; that's
not what people expect. Instead, the files modified so far should be put
in place.
* src/patch.c (cleanup): Put output files processed successfully
in place instead of trying to "roll back" to the start.
(forget_output_files): Remove obsolete (and broken) function.
* tests/git-cleanup: New broken git-style patch test case that exercises
the cleanup path.
* tests/Makefile.am (TESTS): Add new test case.
* src/safe.h (unsafe): New flag to allow turning off safe file
operations.
* src/safe.c (safe_xstat, safe_open, safe_rename, safe_mkdir,
safe_rmdir, safe_unlink, safe_symlink, safe_chmod, safe_lchown,
safe_lutimens, safe_readlink, safe_access): When safe file operations
are turned off, skip safe path traversal. Any symlink checks of the
last path component are still done though.
* src/patch.c (main): When the file to patch is specified on the command
line, turn off safe file operations.
* tests/inname: Fix typo in test.
Patch currently makes sure that input / output files are inside the current
working directory even when the input files are explicitly specified on the
command line (see http://savannah.gnu.org/bugs/?45581).
* tests/inname: Add a test case for this bug.
Reported by Tim Waugh <twaugh@redhat.com>.
* src/pch.c (intuit_diff_type): Don't require a traditional patch header
("--- old\n+++ new/n") after a "git --diff" header; the "git --diff" header
gives us enough information for being able to process subsequent hunks. This
deals with corrupted patches more gracefully.
* tests/corrupt-patch: New test case.
* tests/Makefile.am (TESTS): Add test case.
* src/safe.c (cwd_stat_errno, cwd_stat): stat() result of ".".
(read_symlink): When a symlink is absolute, check if it leads back into the
working directory. If it does, strip off the prefix above the working
directory. If the symlink points to the working directory, return an empty
path.
(traverse_another_path): Recognize empty paths from read_symlink().
* tests/symlinks: Absolute symlink test cases.
* src/safe.c (struct symlink): A symlink to resolve.
(push_symlink, pop_symlink): New functions.
(read_symlink): Create a new symlink stack entry.
(traverse_next): Follow ".." components within the working directory. When
hitting symlinks, "follow" them by reading and returning them.
(traverse_another_path): Recursively traverse symlinks.
When a file has already been renamed, make sure it is not renamed back to its
old name. Reported by Guido Draheim.
* src/patch.c (main): Make sure we never rename a file back to its previous
name. Report when a file was renamed already.
* tests/copy-rename: Add "already renamed" test cases.
* src/safe.c: Include util.h for say(). Define EFTYPE if it isn't defined
already.
(traverse_another_path): When openat fails, also check for EMLINK, EFTYPE, and
ENOTDIR. Change the error message to "file ... is not a directory" and only
skip the rest of the patch instead of aborting.
* tests/symlinks: Update.
Reported and fixed (mostly) by Christian Weisgerber <naddy@mips.inka.de>:
* tests/deep-directories: Avoid the bash >& redirection operator.
* tests/no-mode-change-git-diff: Instead of "stat -c", use "ls -l sed".
* tests/read-only-files: A redirection failure for a special built-in causes
some shells (FreeBSD sh, OpenBSD sh (pdksh), some bash --posix) to exit, and
the colon command is a special built-in. Perform the redirection in a subshell.
Diffs can be indented by a variable number of spaces, tabs, or X characters.
Make sure that intuit_diff_type() only accepts context diffs where the first
and second line are indented identically, or else another_hunk() will fail.
* src/pch.c (intuit_diff_type): Remember the indentation of the last line. Only
recognize context diff hunks with the same amount of indentation on the first
and second line.
* tests/garbage: New test case.
* tests/Makefile.am (TESTS): Add test case.
Since the code is identical when just checking if a utility is present on
the system or not, we can factorize it.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Add wrappers around system calls that traverse relative pathnames without
following symlinks. Written by Tim Waugh <twaugh@redhat.com> and Andreas
Gruenbacher <agruenba@redhat.com>.
* src/safe.h: Declare functions here.
* src/safe.c: Implement safe_* system call replacements that do not follow
symlinks along pathnames. Pathname components are resolved with openat().
Lookup results are cached to keep the overhead reasonably low.
* tests/deep-directories: New path traversal cache test.
* src/Makefile.am (patch_SOURCES): Add safe.[ch].
* tests/Makefile.am (TESTS): Add new test.
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
