This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=727edc4d287796a139e6f4d4f367ead995b5d919 commit 727edc4d287796a139e6f4d4f367ead995b5d919 Author: Guillem Jover <guil...@debian.org> AuthorDate: Mon Sep 28 02:44:10 2020 +0200 Dpkg::Path: Fix pathname traversal check for symlinks If the canonicalized pathname from the symlink matches the canonicalized root directory, then they are the same directory and there is no directory traversal. Closes: #971203 --- scripts/Dpkg/Path.pm | 1 + scripts/t/Dpkg_Path.t | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/Dpkg/Path.pm b/scripts/Dpkg/Path.pm index 782bc4230..22c2c55bb 100644 --- a/scripts/Dpkg/Path.pm +++ b/scripts/Dpkg/Path.pm @@ -226,6 +226,7 @@ sub check_directory_traversal { syserr(g_("pathname '%s' cannot be canonicalized"), $_); } return if $canon_pathname eq '/dev/null'; + return if $canon_pathname eq $canon_basedir; return if $canon_pathname =~ m{^\Q$canon_basedir/\E}; error(g_("pathname '%s' points outside source root (to '%s')"), diff --git a/scripts/t/Dpkg_Path.t b/scripts/t/Dpkg_Path.t index bfd5b8db5..33d1f9267 100644 --- a/scripts/t/Dpkg_Path.t +++ b/scripts/t/Dpkg_Path.t @@ -16,7 +16,7 @@ use strict; use warnings; -use Test::More tests => 33; +use Test::More tests => 34; use Test::Dpkg qw(:paths); use Cwd qw(realpath); @@ -75,6 +75,14 @@ my %travtype = ( fail => 0, gen => sub { }, }, + same => { + fail => 0, + chroot => "$tmpdir/travbase-same", + gen => sub { + my $basedir = shift; + symlink '../..', "$basedir/subdir/root"; + }, + }, dev_null => { fail => 0, gen => sub { -- Dpkg.Org's dpkg
