* src/safe.c (struct symlink): A symlink to resolve.
(push_symlink, pop_symlink): New functions.
(read_symlink): Create a new symlink stack entry.
(traverse_next): Follow ".." components within the working directory. When
hitting symlinks, "follow" them by reading and returning them.
(traverse_another_path): Recursively traverse symlinks.
* src/safe.c: Include util.h for say(). Define EFTYPE if it isn't defined
already.
(traverse_another_path): When openat fails, also check for EMLINK, EFTYPE, and
ENOTDIR. Change the error message to "file ... is not a directory" and only
skip the rest of the patch instead of aborting.
* tests/symlinks: Update.
Since the code is identical when just checking if a utility is present on
the system or not, we can factorize it.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
When creating symlinks from git-style patches, make sure the symlinks don't
point above the current working directory. Otherwise, a subsequent patch could
use the symlink to write outside the working directory.
* src/pch.c (symlink_target_is_valid): New function to check for valid symlink
targets.
* src/util.c (move_file): Use symlink_target_is_valid() here.
* tests/symlinks: Add valid and invalid symlink test cases.
* src/common.h (follow_symlinks): New variable.
* src/patch.c (longopts): Add new --follow-symlinks option.
(get_some_switches): Recognize the new option.
* src/util.c (stat_file): Follow symlinks if requested.
* patch.man: Document the new option.
* tests/symlinks: Add test case.
* tests/symlinks: Remove test case which deletes and then recreates a symlink:
all patches in a git-style input file must refer to the "before" state; the
test case is invalid.
With these changes, "make sc_prohibit_test_minus_ao" almost passes.
Uses of "test -o" remain.
Note: unchecked uses of test -ot/-nt also remain.
* tests/empty-files: Use "test C1 && test C2", not "test C1 -a C2"
* tests/merge: Likewise.
* tests/symlinks: Likewise.
* tests/test-lib.sh: Likewise.
* src/util.c (create_backup): Document patch's backup file logic.
(create_backup, create_backup_copy): Add a flag to remember the backup
file; use when a patch deletes a file.
(move_file, copy_file): Better error messages.
* tests/Makefile.am (TESTS): Remove remember-backup-files-2.
* tests/remember-backup-files: Add tests from remember-backup-files-2.
* tests/symlinks: Add a symlink backup file test.
* src/inp.c (get_input_file), src/pch.c (there_is_another_patch,
intuit_diff_type): Use lstat instead of stat. This causes patch to
refuse patching symlinks (get_input_file() will refuse to read them).
* src/util.c (create_backup): Refuse to create backups of symlinks.
* tests/symlinks: New test case.
* tests/Makefile.am (TESTS): Add test case.
* bootstrap.conf: Use the gnulib lstat module.
