This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=baa01dd67eecff51fa9f1b49d15e42121093b844 commit baa01dd67eecff51fa9f1b49d15e42121093b844 Author: Guillem Jover <[email protected]> AuthorDate: Fri Jul 3 07:11:25 2020 +0200 Dpkg::Path: Catch uncanonicanizable pathnames with a proper error If the pathname cannot be canonicalized, we catch this and error out explicitly, instead of letting the catch-all error message for the directory traversal error message print a confusing diagnostic. Closes: #964111 --- debian/changelog | 2 ++ scripts/Dpkg/Path.pm | 3 +++ 2 files changed, 5 insertions(+) diff --git a/debian/changelog b/debian/changelog index ece05ebd2..7484c7106 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,8 @@ dpkg (1.20.4) UNRELEASED; urgency=medium Dpkg::Source::Package->extract(). - Dpkg::Path: Do not do partial matches for directory traversal checks, expect a trailing slash after the base directory name. + - Dpkg::Path: Catch uncanonicanizable pathnames with a proper error. + Closes: #964111 * Build system: - Add Module::Signature as configure recommends for CPAN. * Test suite: diff --git a/scripts/Dpkg/Path.pm b/scripts/Dpkg/Path.pm index 240b328f6..4b555b9b8 100644 --- a/scripts/Dpkg/Path.pm +++ b/scripts/Dpkg/Path.pm @@ -219,6 +219,9 @@ sub check_directory_traversal { my $canon_basedir = realpath($basedir); my $check_symlinks = sub { my $canon_pathname = realpath($_); + if (not defined $canon_pathname) { + syserr(g_("pathname '%s' cannot be canonicalized"), $_); + } return if $canon_pathname =~ m{^\Q$canon_basedir/\E}; error(g_("pathname '%s' points outside source root (to '%s')"), -- Dpkg.Org's dpkg
