* src/safe.c (cwd_stat_errno, cwd_stat): stat() result of ".".
(read_symlink): When a symlink is absolute, check if it leads back into the
working directory. If it does, strip off the prefix above the working
directory. If the symlink points to the working directory, return an empty
path.
(traverse_another_path): Recognize empty paths from read_symlink().
* tests/symlinks: Absolute symlink test cases.
When resolving a symlink in a pathname, we traverse each path component in the
symlink and cache all of them. At the end, add an additional cache entry for
the symlink itself so that we don't have to resolve the symlink again (even
though this will usually be cached). Skip that if the symlink's parent isn't
in the cache anymore, though.
* src/safe.c (free_cached_dirfd): Remove from parent here instead of in
callers. Move close() to remove_cached_dirfd() instead.
(insert_cached_dirfd): Only insert if the entry's parent still exists; entries
without parent are invalid (see compare_cached_dirfds()); "top-level" entries
have cwd as their parent.
(new_cached_dirfd): New function split off from openat_cached().
(openat_cached): Use new_cached_dirfd() here.
(traverse_another_path): When starting to resolve a symlink, create an unhashed
dirfd cache entry for the symlink lookup result. When the symlink is completely
resolved, add that entry to the cache.
If we don't do that, a directory could be removed from the cache, a new
directory with the same dirfd could be created, and the entries from the old
directory would appear in the new directory.
* src/safe.c (struct cached_dirfd): Keep track of the children of each dirfd
cache entry.
(remove_cached_dirfd): Remove all the entry's children from the lookup hash,
take them off the list of children, and initialize the children's
children_link. Then, remove the entry itself from its parent. This has no
effect if the entry doesn't have a parent because then, children_link is empty.
(openat_cached): Add new dirfd cache entries to their parent's list of children
and initialize the entry's list of children.
(traverse_another_path): Also initialize cwd's list of children.
* src/safe.c (struct cached_dirfd): Replace prev and next with a lru_link
list_head.
(lru_list): Turn into a list_head.
(lru_list_add, lru_list_del, lru_list_del_init): Replace by list_add(),
list_del(), list_del_init().
(insert_cached_dirfd): Get to the list entry from the embedded list_head with
the list_entry() macro.
src/safe.c (safe_rename, safe_rmdir): Only invalidate cache entries when the
underlying sycall succeeds and the entry actually goes away. This keeps the
cache filled upon speculative rmdir when the directory may not be empty, for
example.
* src/safe.c (traverse_another_path): Don't report errors here.
* src/patch.c (main): Instead, recognize and report them here. Detect when an
output file name is invalid; it doesn't make sense to try creating a
reject file based on the same outbut file name in that case.
src/safe.c (MAX_PATH_COMPONENTS): The maximum number of path components
allowed.
(count_path_components): New function.
(traverse_another_path): Fail if the number of path components gets too high.
* src/safe.c (struct symlink): A symlink to resolve.
(push_symlink, pop_symlink): New functions.
(read_symlink): Create a new symlink stack entry.
(traverse_next): Follow ".." components within the working directory. When
hitting symlinks, "follow" them by reading and returning them.
(traverse_another_path): Recursively traverse symlinks.
* src/safe.c (struct cached_dirfd): Add parent pointer. Now that we know our
parent, we no longer need to duplicate its directory file descriptor.
(lookup_cached_dirfd): Don't update the lru list here.
(insert_cached_dirfd): The lru list may now be empty even if the cache is not.
(put_path): New function to put a path back into the lru list.
(openat_cached): Take cached entried off the lru list. They are added back
in put_path().
(traverse_another_path): Put lookup result back into the lru list with
put_path().
Prepare for keeping track of the directory hierarchy:
* src/safe.c (traverse_another_path): Pass struct cached_dirfd to
traverse_next().
(traverse_next, openat_cached): Pass through struct cached_dirfd.
When a file has already been renamed, make sure it is not renamed back to its
old name. Reported by Guido Draheim.
* src/patch.c (main): Make sure we never rename a file back to its previous
name. Report when a file was renamed already.
* tests/copy-rename: Add "already renamed" test cases.
* src/safe.c: Include util.h for say(). Define EFTYPE if it isn't defined
already.
(traverse_another_path): When openat fails, also check for EMLINK, EFTYPE, and
ENOTDIR. Change the error message to "file ... is not a directory" and only
skip the rest of the patch instead of aborting.
* tests/symlinks: Update.
Reported and fixed (mostly) by Christian Weisgerber <naddy@mips.inka.de>:
* tests/deep-directories: Avoid the bash >& redirection operator.
* tests/no-mode-change-git-diff: Instead of "stat -c", use "ls -l sed".
* tests/read-only-files: A redirection failure for a special built-in causes
some shells (FreeBSD sh, OpenBSD sh (pdksh), some bash --posix) to exit, and
the colon command is a special built-in. Perform the redirection in a subshell.
* Update gnulib submodule to latest.
* src/util.c (try_safe_open_args, try_safe_open): Arguments and callback for
try_tempname().
(make_tempfile): Switch from gen_tempname() to try_tempname().
* src/Makefile.am (patch_LDADD): Add LIB_EACCESS here. At least on Solaris,
faccessat() is implemented through eaccess() which is in the "gen" library.
Diffs can be indented by a variable number of spaces, tabs, or X characters.
Make sure that intuit_diff_type() only accepts context diffs where the first
and second line are indented identically, or else another_hunk() will fail.
* src/pch.c (intuit_diff_type): Remember the indentation of the last line. Only
recognize context diff hunks with the same amount of indentation on the first
and second line.
* tests/garbage: New test case.
* tests/Makefile.am (TESTS): Add test case.
Since the code is identical when just checking if a utility is present on
the system or not, we can factorize it.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Use the symlink-safe replacements for system calls in many places throughout
the code: In some places this makes patch safe against path traversal attacks;
in other places, it saves the kernel from having to re-traverse the pathnames.
* src/inp.c (plan_b): Use safe_open() + fdopen() instead of fopen().
* src/util.c (copy_attr): Document why we are safe here.
(create_backup): Use safe_open() instead of creat().
Add wrappers around system calls that traverse relative pathnames without
following symlinks. Written by Tim Waugh <twaugh@redhat.com> and Andreas
Gruenbacher <agruenba@redhat.com>.
* src/safe.h: Declare functions here.
* src/safe.c: Implement safe_* system call replacements that do not follow
symlinks along pathnames. Pathname components are resolved with openat().
Lookup results are cached to keep the overhead reasonably low.
* tests/deep-directories: New path traversal cache test.
* src/Makefile.am (patch_SOURCES): Add safe.[ch].
* tests/Makefile.am (TESTS): Add new test.
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
* src/patch.c (main): Allow there_is_another_patch() to set the
skip_rest_of_patch flag.
* src/pch.c (intuit_diff_type): For renames and copies, also check the "other"
file name.
(pch_copy, pch_rename): Now that both names are checked in intuit_diff_type(),
we know they are defined here.
src/pch.c (another_hunk): Call set_hunkmax() from here to make sure it is
called even when falling back from plan A to plan B.
(open_patch_file): No need to call set_hunkmax() anymore.
src/pch.c (set_hunkmax): Fail when out of memory. Make static.
src/pch.h: Remove set_hunkmax() prototype.
* src/patch.c (locate_hunk): Start trying to apply the hunk at the minimum
offset which puts the hunk in the valid range of lines. This will often still
be offset 0.
When creating symlinks from git-style patches, make sure the symlinks don't
point above the current working directory. Otherwise, a subsequent patch could
use the symlink to write outside the working directory.
* src/pch.c (symlink_target_is_valid): New function to check for valid symlink
targets.
* src/util.c (move_file): Use symlink_target_is_valid() here.
* tests/symlinks: Add valid and invalid symlink test cases.
* bootstrap.conf: use intprops module.
* src/common.h: Define LINENUM_MIN and LINENUM_MAX macros.
* src/pch.c (another_hunk): Add line number overflow checking. Based on Robert
C. Seacord's INT32-C document for integer overflow checking and Tobias
Stoeckmann's "integer overflows and oob memory access" patch for FreeBSD.
* bootstrap.conf: use xmemdup0 module.
* src/pch.c (there_is_another_patch): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
(intuit_diff_type): Likewise, use xstrdup instead of savestr.
(another_hunk): Handle the case when savestr returns NULL.
* src/util.c (fetchname, parse_name): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
Bugs pointed out by Tobias Stoeckmann <tobias@stoeckmann.org>.
* src/patch.c (get_some_switches): The function savebuf (and therefore savestr)
copies strings using malloc. If malloc fails, NULL is returned. This is
intentional behavior so that in case of failure during "plan a" patching, "plan
b" can step in. The return value has to be properly checked for NULL. If the
return value must not be NULL, use xstrdup instead.
* src/merge.c (compute_changes): The TOO_EXPENSIVE heuristic in diffseq has
been removed, including compareseq's find_minimal parameter and the context's
too_expensive limit. Adjust.
