diff options
author | Junio C Hamano <gitster@pobox.com> | 2023-02-14 04:03:24 +0300 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2023-02-14 04:03:55 +0300 |
commit | c867e4fa180bec4750e9b54eb10f459030dbebfd (patch) | |
tree | d178a68edd12cea19afafb57436e3592d6e6178f /apply.c | |
parent | 23c56f7bd5f1667f8b793d796bf30e39545920f6 (diff) | |
parent | cbf04937d5b9fcf0a76c28f69e6294e9e3ecd7e6 (diff) |
Sync with Git 2.39.2
Diffstat (limited to 'apply.c')
-rw-r--r-- | apply.c | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -4418,6 +4418,33 @@ static int create_one_file(struct apply_state *state, if (state->cached) return 0; + /* + * We already try to detect whether files are beyond a symlink in our + * up-front checks. But in the case where symlinks are created by any + * of the intermediate hunks it can happen that our up-front checks + * didn't yet see the symlink, but at the point of arriving here there + * in fact is one. We thus repeat the check for symlinks here. + * + * Note that this does not make the up-front check obsolete as the + * failure mode is different: + * + * - The up-front checks cause us to abort before we have written + * anything into the working directory. So when we exit this way the + * working directory remains clean. + * + * - The checks here happen in the middle of the action where we have + * already started to apply the patch. The end result will be a dirty + * working directory. + * + * Ideally, we should update the up-front checks to catch what would + * happen when we apply the patch before we damage the working tree. + * We have all the information necessary to do so. But for now, as a + * part of embargoed security work, having this check would serve as a + * reasonable first step. + */ + if (path_is_beyond_symlink(state, path)) + return error(_("affected file '%s' is beyond a symbolic link"), path); + res = try_create_file(state, path, mode, buf, size); if (res < 0) return -1; |