[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] patch rejects file names starting with '../' as "invalid
From: |
Andreas Grünbacher |
Subject: |
Re: [bug-patch] patch rejects file names starting with '../' as "invalid" |
Date: |
Thu, 12 Jan 2017 17:19:53 +0100 |
Bruno,
2017-01-12 17:05 GMT+01:00 Bruno Haible <address@hidden>:
> With patch 2.7.5 I have to make contortions in order to transport a set
> of hunks from one file to another:
>
> $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in
> Invalid file name ../callback/vacall_r/vacall_r.h.in -- skipping patch
>
> $ git diff vacall.h.in | (cd .. && patch callback/vacall_r/vacall_r.h.in)
> patching file callback/vacall_r/vacall_r.h.in
> Hunk #1 succeeded at 367 (offset -1 lines).
> Hunk #2 succeeded at 651 (offset -1 lines).
>
> This worked with 2.7.1, hence it is a regression:
>
> $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in
> patching file ../callback/vacall_r/vacall_r.h.in
> Hunk #1 succeeded at 367 (offset -1 lines).
> Hunk #2 succeeded at 651 (offset -1 lines).
>
> I fully agree that for security reasons, patch (like 'tar') should reject
> file names that start with '../' when they originate from the patch file
> (standard input in this case). But for file names given on the command line,
> there is no security risk.
I agree. This should actually be addressed by commit 83a3ed01 on
git://git.savannah.gnu.org/patch.git from last July already, can you
verify?
Thanks,
Andreas