[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] [PATCH] do not validate target name when it is specified
From: |
Jim Meyering |
Subject: |
Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line |
Date: |
Wed, 16 Feb 2011 18:03:21 +0100 |
Andreas Gruenbacher wrote:
> On Wednesday 16 February 2011 17:39:07 Jim Meyering wrote:
>> However, if somehow you can come up with input that contains 3 bad
>> file names, A, B, A, then yes, you would inappropriately see two
>> warnings about A.
>
> Yes, this is what happens. A patch like this won't be very common, but still:
>
> cat > d.diff <<EOF
> --- ../x
> +++ ../y
> @@ -0,0 +1 @@
> +x
> EOF
>
> touch ../x ../y
> check 'patch -f -p0 --dry-run < d.diff || echo status: $?' <<EOF
> Ignoring potentially dangerous file name ../x
> Ignoring potentially dangerous file name ../y
> Ignoring potentially dangerous file name ../x
> Ignoring potentially dangerous file name ../y
> can't find file to patch at input line 3
> Perhaps you used the wrong -p or --strip option?
> The text leading up to this was:
> --------------------------
> |--- ../x
> |+++ ../y
> --------------------------
> No file to patch. Skipping patch.
> 1 out of 1 hunk ignored
> status: 1
> EOF
Thanks.
Here's a better patch.
With it, we get one message per invalid file name.
diff --git a/src/pch.c b/src/pch.c
index 41c15b6..b617f30 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -380,10 +380,15 @@ static bool
name_is_valid (char const *name)
{
const char *n = name;
+ static char const *bad[2];
+
+ if (name == bad[0] || name == bad[1])
+ return false;
if (IS_ABSOLUTE_FILE_NAME (name))
{
say ("Ignoring potentially dangerous file name %s\n", quotearg (name));
+ bad[!!bad[0]] = name;
return false;
}
for (n = name; *n; )
@@ -391,6 +396,7 @@ name_is_valid (char const *name)
if (*n == '.' && *++n == '.' && ( ! *++n || ISSLASH (*n)))
{
say ("Ignoring potentially dangerous file name %s\n", quotearg
(name));
+ bad[!!bad[0]] = name;
return false;
}
while (*n && ! ISSLASH (*n))
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, (continued)
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line,
Jim Meyering <=
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/17
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/17
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/17
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/17