The following commit has been merged in the sourcev3 branch:
commit 867c88dadccff6e285c48dadccb61f9001b50d9b
Author: Raphael Hertzog <[EMAIL PROTECTED]>
Date: Tue Mar 18 17:39:08 2008 +0100
Avoid extracting files through symlinks
* scripts/Dpkg/Source/Package/V2_0.pm (do_extract): Now
that the debian tarball is extracted in-place over the
unpacked source directory, it's important to not let tar
unpack files in symlinked directories (otherwise it would
be possible to write files outside of the unpacked
source tree).
diff --git a/scripts/Dpkg/Source/Package/V2_0.pm
b/scripts/Dpkg/Source/Package/V2_0.pm
index 0a24da2..a256361 100644
--- a/scripts/Dpkg/Source/Package/V2_0.pm
+++ b/scripts/Dpkg/Source/Package/V2_0.pm
@@ -36,6 +36,7 @@ use File::Basename;
use File::Temp qw(tempfile tempdir);
use File::Path;
use File::Spec;
+use File::Find;
sub init_options {
my ($self) = @_;
@@ -118,8 +119,20 @@ sub do_extract {
# Extract debian tarball after removing the debian directory
info(_g("unpacking %s"), $debianfile);
erasedir("$newdirectory/debian");
+ # Exclude existing symlinks from extraction of debian.tar.gz as we
+ # don't want to overwrite something outside of $newdirectory due to a
+ # symlink
+ my @exclude_symlinks;
+ my $wanted = sub {
+ return if not -l $_;
+ my $fn = File::Spec->abs2rel($_, $newdirectory);
+ push @exclude_symlinks, "--exclude", $fn;
+ };
+ find({ wanted => $wanted, no_chdir => 1 }, $newdirectory);
$tar = Dpkg::Source::Archive->new(filename => "$dscdir$debianfile");
- $tar->extract($newdirectory, in_place => 1);
+ $tar->extract($newdirectory, in_place => 1,
+ options => [ '--anchored', '--no-wildcards',
+ @exclude_symlinks ]);
# Apply patches (in a separate method as it might be overriden)
$self->apply_patches($newdirectory);
--
dpkg's main repository
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
