[dpkg] 11/15: Dpkg::Path: Allow /dev/null for directory traversals

Mon, 06 Jul 2020 23:35:33 -0700 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=645f3342b92d2ac9fe9845a400b59541de02f37f

commit 645f3342b92d2ac9fe9845a400b59541de02f37f
Author: Guillem Jover <guil...@debian.org>
AuthorDate: Fri Jul 3 19:26:42 2020 +0200

    Dpkg::Path: Allow /dev/null for directory traversals
    
    This is a pattern used at least by systemd, and a standard pathname
    to use which should be innocuous, so add an exception for it.
    
    Reported-by: Holger Levsen <hol...@layer-acht.org>
---
 debian/changelog      | 2 ++
 scripts/Dpkg/Path.pm  | 1 +
 scripts/t/Dpkg_Path.t | 9 ++++++++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 42811f52c..57f14010f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,8 @@ dpkg (1.20.4) UNRELEASED; urgency=medium
       Closes: #964111
     - Dpkg::Path: Do not consider missing symlink targets a directory
       traversal attempt. Closes: #964234
+    - Dpkg::Path: Allow /dev/null for directory traversals.
+      Reported by Holger Levsen <hol...@layer-acht.org>.
   * Build system:
     - Add Module::Signature as configure recommends for CPAN.
   * Test suite:
diff --git a/scripts/Dpkg/Path.pm b/scripts/Dpkg/Path.pm
index b44857964..782bc4230 100644
--- a/scripts/Dpkg/Path.pm
+++ b/scripts/Dpkg/Path.pm
@@ -225,6 +225,7 @@ sub check_directory_traversal {
 
             syserr(g_("pathname '%s' cannot be canonicalized"), $_);
         }
+        return if $canon_pathname eq '/dev/null';
         return if $canon_pathname =~ m{^\Q$canon_basedir/\E};
 
         error(g_("pathname '%s' points outside source root (to '%s')"),
diff --git a/scripts/t/Dpkg_Path.t b/scripts/t/Dpkg_Path.t
index 12747ad81..667afff21 100644
--- a/scripts/t/Dpkg_Path.t
+++ b/scripts/t/Dpkg_Path.t
@@ -16,7 +16,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 32;
+use Test::More tests => 33;
 use Test::Dpkg qw(:paths);
 
 use Cwd qw(realpath);
@@ -75,6 +75,13 @@ my %travtype = (
         fail => 0,
         gen => sub { },
     },
+    dev_null => {
+        fail => 0,
+        gen => sub {
+            my $basedir = shift;
+            symlink '/dev/null', "$basedir/dev-null";
+        },
+    },
     dots => {
         fail => 0,
         gen => sub {

-- 
Dpkg.Org's dpkg

Reply via email to