* src/safe.c (cwd_stat_errno, cwd_stat): stat() result of ".".
(read_symlink): When a symlink is absolute, check if it leads back into the
working directory. If it does, strip off the prefix above the working
directory. If the symlink points to the working directory, return an empty
path.
(traverse_another_path): Recognize empty paths from read_symlink().
* tests/symlinks: Absolute symlink test cases.
* src/safe.c (struct symlink): A symlink to resolve.
(push_symlink, pop_symlink): New functions.
(read_symlink): Create a new symlink stack entry.
(traverse_next): Follow ".." components within the working directory. When
hitting symlinks, "follow" them by reading and returning them.
(traverse_another_path): Recursively traverse symlinks.
When a file has already been renamed, make sure it is not renamed back to its
old name. Reported by Guido Draheim.
* src/patch.c (main): Make sure we never rename a file back to its previous
name. Report when a file was renamed already.
* tests/copy-rename: Add "already renamed" test cases.
* src/safe.c: Include util.h for say(). Define EFTYPE if it isn't defined
already.
(traverse_another_path): When openat fails, also check for EMLINK, EFTYPE, and
ENOTDIR. Change the error message to "file ... is not a directory" and only
skip the rest of the patch instead of aborting.
* tests/symlinks: Update.
Reported and fixed (mostly) by Christian Weisgerber <naddy@mips.inka.de>:
* tests/deep-directories: Avoid the bash >& redirection operator.
* tests/no-mode-change-git-diff: Instead of "stat -c", use "ls -l sed".
* tests/read-only-files: A redirection failure for a special built-in causes
some shells (FreeBSD sh, OpenBSD sh (pdksh), some bash --posix) to exit, and
the colon command is a special built-in. Perform the redirection in a subshell.
Diffs can be indented by a variable number of spaces, tabs, or X characters.
Make sure that intuit_diff_type() only accepts context diffs where the first
and second line are indented identically, or else another_hunk() will fail.
* src/pch.c (intuit_diff_type): Remember the indentation of the last line. Only
recognize context diff hunks with the same amount of indentation on the first
and second line.
* tests/garbage: New test case.
* tests/Makefile.am (TESTS): Add test case.
Since the code is identical when just checking if a utility is present on
the system or not, we can factorize it.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Add wrappers around system calls that traverse relative pathnames without
following symlinks. Written by Tim Waugh <twaugh@redhat.com> and Andreas
Gruenbacher <agruenba@redhat.com>.
* src/safe.h: Declare functions here.
* src/safe.c: Implement safe_* system call replacements that do not follow
symlinks along pathnames. Pathname components are resolved with openat().
Lookup results are cached to keep the overhead reasonably low.
* tests/deep-directories: New path traversal cache test.
* src/Makefile.am (patch_SOURCES): Add safe.[ch].
* tests/Makefile.am (TESTS): Add new test.
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
When creating symlinks from git-style patches, make sure the symlinks don't
point above the current working directory. Otherwise, a subsequent patch could
use the symlink to write outside the working directory.
* src/pch.c (symlink_target_is_valid): New function to check for valid symlink
targets.
* src/util.c (move_file): Use symlink_target_is_valid() here.
* tests/symlinks: Add valid and invalid symlink test cases.
* src/patch.c (main): Preserve function names in reject files.
* tests/reject-format: Update the test case.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andreas Gruenbacher <agruen@linbit.com>
Reported by Thomas Moschny <thomas.moschny@gmx.de>:
src/patch.c (main): Temporary output files are created in the same directory as
the output file. Make sure to remove them before removing empty files and
their empty ancestor directories; else the directories won't be empty.
tests/remove-directories: Add directory removal test case.
tests/Makefile.am (TESTS): Add new test case.
* src/patch.c (main): Initialize data structures early enough, before error
paths can access them.
* tests/bad-usage: Test bad command line usage.
* tests/Makefile.am (TESTS): Add bad-usage here.
* src/patch.c: Only print the "file is not empty after patch" message when
trying to delete the output file. Say that we were trying to delete the file.
* tests/create-delete: Fix the expected messages. Add test cases for the
--remove-empty-files and --posix options.
* NEWS: Better describe this change.
Test cases based on patches from Dmitry V. Levin <ldv@altlinux.org>.
* src/patch.c (main): Only expect files to become empty if the patch says so.
* NEWS: Document this change.
* tests/create-delete: Add (more) empty vs. non-empty test cases.
* src/patch.c (main): Say that we are checking a file and not that we are
patching it in --dry-run mode. Don't say "saving rejects to file" when we
don't create reject files.
* tests/reject-format: Add rejects with --dry-run test case.
* tests/bad-filenames, tests/fifo, tests/mixed-patch-types: Update.
* src/patch.c (check_line_endings): New function.
(main): When a hunk fails, report when the line endings differ between the
input file and the patch.
* src/pch.c (there_is_another_patch): When saying that we strip trailing CRs,
also say how to turn this off.
* tests/crlf-handling: Update changed messages. Add test case that fails.
* src/common.h (follow_symlinks): New variable.
* src/patch.c (longopts): Add new --follow-symlinks option.
(get_some_switches): Recognize the new option.
* src/util.c (stat_file): Follow symlinks if requested.
* patch.man: Document the new option.
* tests/symlinks: Add test case.
* src/patch.c (main): Output queued output files only when switching from a git
diff to a non-git diff. This can modify the input file, so make sure to
stat() it again.
* tests/concat-git-diff: Add test case growing a file with a git diff and then
with a non-git diff; without this fix; the result would be truncated.
* src/pch.c (cwd_is_root): New function to check if we are in the root
directory of a filename.
(name_is_valid): Allow to use potentially dangerous filenames when the current
working directory is the root directory: from there, those names are not
any more dangerous than other names.
* tests/bad-filenames: New test case.
* src/patch.c (main): Fail if a file is not empty as expected.
(output_files): In a git-style diff, make sure not to unlink the original when
making a backup of an unmodified file.
* tests/create-delete: Fix failed-file-deletion test and add
successful-file-deletion test.
* src/patch.c (main): Instead of looking at the SHA hashes to detect
concatenated git-style patches, detect when a file to write to is already in
the output queue.
* tests/concat-git-diff: Add create/delete tests.
* src/patch.c (output_file): Create new files immediately. Document why
things are implemented that way.
* tests/concat-git-diff: Fix glitch in test case.
* src/patch.c (main): Remember the "before" SHA1 hashes of git-style patches;
the same patch will always use the same "before" SHA1 for a specific file.
Try to recognize concatenated patches based on that.
* tests/concat-git-diff: New test case.
* tests/Makefile.am (TESTS): Add new test case.
* tests/copy-rename, tests/criss-cross, tests/file-modes,
tests/mixed-patch-types, tests/quoted-filenames: Add missing index lines in the
"dif --git" test cases: We will use some of them for consistency checks soon.
Bug reported by Dmitry V. Levin <ldv@altlinux.org>.
* src/patch.c (output_file_later): Fix case where the output file is identical
with the input file (and to == NULL).
Failing when trying to patch read-only files causes various users of patch to
break. Instead, warn by default and introduce a command line option for
choosing a different behavior.
* patch.man: Describe the new behavior and command-line option.
* src/patch.c (read_only_behavior): New variable.
(main): Implement the new behavior.
(longopts): Add the new --read-only option.
(option_help): Describe the new behavior.
(get_some_switches): Recognize the new --read-only option.
In git-style patch files, all patches refer to the initial state of the input
files; files cannot be modified more than once. Implement these semantics by
creating all output files once all patches in the patch file have been
processed.
* src/patch.c (init_files_to_output, output_files): Add prototypes.
(main): Remember which type of patch file we are processing. Initialize the
output files list. Output files of git-style patches once all patches have
been read, or when from git-style to normal patches.
(file_to_output): New struct.
(files_to_output): List of the files to output.
(output_file, output_file_now, output_file_later): Either queue a file for
deletion, remember to output a file later (git-style), or output the file
immediately (normal).
(dispose_file_to_output, init_files_to_output, output_files,
forget_output_files): New functions.
(gl_list_clear): Should be provided by gnulib but isn't.
(cleanup): Clean up any left-over temporary output files as well.
* tests/Makefile-am (XFAIL_TESTS): Remove criss-cross; this test case works now.
* tests/mixed-patch-types: Patch files that change from normal to git-style, or
from git-style to normal.
* tests/symlinks: Remove test case which deletes and then recreates a symlink:
all patches in a git-style input file must refer to the "before" state; the
test case is invalid.
* src/util.h (enum file_attributes): Add FA_XATTRS flag for extended
attributes.
* src/patch.c (main): Use set_file_attributes() even when the infile doesn't
exist: it may still set the file time (FA_TIMES). Omit all other FA_ flags if
infile doesn't exist. Otherwise, add FA_XATTRS as well.
* src/util.c (set_file_attributes): Only copy extended attributes if FA_XATTRS
is set. Avoid using st where it may be undefined.
* tests/preserve-mode-and-timestamp: Add file create test.
* tests/Makefile.am (TESTS_ENVIRONMENT): Don't use $(SHELL) here
to ensure the test scripts are run through it; instead, ...
(LOG_COMPILER): ... use it here.
