This is an automated email from the git hooks/post-receive script.
abe pushed a commit to branch master
in repository debsums.
commit a01dbf49d7ccfc8d518b5218b0dee51eb5aa3ecc
Author: Andreas Beckmann <a...@debian.org>
Date: Sat Feb 7 00:54:52 2015 +0100
Fix accessing files in the host filesystem while checking an alt. --root +
following abs. links
Closes: #689202
Manually resolve symlinks without escaping the --root directory and
open the resolved path instead of the original one.
---
debian/changelog | 7 +++++++
debsums | 29 +++++++++++++++++++++++++++--
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index f314776..4abb7b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
debsums (2.1~dev) UNRELEASED; urgency=medium
+ [ Axel Beckert ]
* Take package under maintenance of the Debian Perl Group
+ Move Maintainer to Uploaders
+ Set Maintainer to the Debian Perl Group
@@ -25,6 +26,12 @@ debsums (2.1~dev) UNRELEASED; urgency=medium
+ Exit with highest exit code of any of its child debsums processes
exited. (Closes: #711560)
+ [ Andreas Beckmann ]
+ * Fix accessing files in the host root filesystem (/) while checking an
+ alternate --root and following absolute symlinks. (Closes: #689202)
+ Manually resolve symlinks without escaping the --root directory and open
+ the resolved path instead of the original one.
+
-- Axel Beckert <a...@debian.org> Fri, 06 Feb 2015 23:50:20 +0100
debsums (2.0.52+nmu3) unstable; urgency=medium
diff --git a/debsums b/debsums
index 8dec26c..8509e0c 100755
--- a/debsums
+++ b/debsums
@@ -381,6 +381,30 @@ sub is_localepurge_file {
return length($locale) && !$locales{$locale};
}
+# resolve symlinks without escaping $root
+sub resolve_path {
+ my $path = shift;
+ my @tokens = split(/\//, $path);
+ my @parts = ();
+ while (@tokens) {
+ my $token = shift @tokens;
+ next if $token eq '.' || $token eq '';
+ if ($token eq '..') {
+ pop @parts;
+ next;
+ }
+ my $fp = $root . '/' . join('/', @parts) . '/' . $token;
+ if (-l $fp) {
+ my $link = readlink($fp);
+ @parts = () if $link =~ /^\//;
+ unshift @tokens, split(/\//, $link);
+ } else {
+ push @parts, $token;
+ }
+ }
+ return join('/', @parts);
+}
+
{
my $width = ($ENV{COLUMNS} || 80) - 3;
$width = 6 if $width < 6;
@@ -392,8 +416,9 @@ sub is_localepurge_file {
$path = $diversion{$path}[0] if exists $diversion{$path}
and $diversion{$path}[1] ne $pack;
- if ((!sysopen F, "$root/$path", O_RDONLY|O_NONBLOCK|$my_noatime) &&
- (!sysopen F, "$root/$path", O_RDONLY|O_NONBLOCK))
+ my $resolved = resolve_path($path);
+ if ((!sysopen F, "$root/$resolved", O_RDONLY|O_NONBLOCK|$my_noatime) &&
+ (!sysopen F, "$root/$resolved", O_RDONLY|O_NONBLOCK))
{
return 0 if $localepurge
and is_localepurge_file($path);
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/debsums.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
