Bruno, 2017-01-12 17:05 GMT+01:00 Bruno Haible <br...@clisp.org>: > With patch 2.7.5 I have to make contortions in order to transport a set > of hunks from one file to another: > > $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in > Invalid file name ../callback/vacall_r/vacall_r.h.in -- skipping patch > > $ git diff vacall.h.in | (cd .. && patch callback/vacall_r/vacall_r.h.in) > patching file callback/vacall_r/vacall_r.h.in > Hunk #1 succeeded at 367 (offset -1 lines). > Hunk #2 succeeded at 651 (offset -1 lines). > > This worked with 2.7.1, hence it is a regression: > > $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in > patching file ../callback/vacall_r/vacall_r.h.in > Hunk #1 succeeded at 367 (offset -1 lines). > Hunk #2 succeeded at 651 (offset -1 lines). > > I fully agree that for security reasons, patch (like 'tar') should reject > file names that start with '../' when they originate from the patch file > (standard input in this case). But for file names given on the command line, > there is no security risk.
I agree. This should actually be addressed by commit 83a3ed01 on git://git.savannah.gnu.org/patch.git from last July already, can you verify? Thanks, Andreas