summaryrefslogtreecommitdiff
path: root/scripts/Dpkg/Source/Package/V3/quilt.pm
diff options
context:
space:
mode:
authorRaphaël Hertzog <hertzog@debian.org>2010-03-05 22:07:30 +0100
committerRaphaël Hertzog <hertzog@debian.org>2010-03-10 21:25:05 +0100
commit1e84a1bd2c7b175cd15934345af61841a7435eda (patch)
tree08901ba7c460d9e8e000ccf13be6b9ad8f4cb6d7 /scripts/Dpkg/Source/Package/V3/quilt.pm
parent2cb3d5d38fbe937280a8875b79a7247ac37a383d (diff)
downloaddpkg-1e84a1bd2c7b175cd15934345af61841a7435eda.tar.gz
Dpkg::Source::Package::V3::quilt: sanity check of series file
A series file should only contain path pointing inside debian/patches/ and thus "../" are forbidden. Given that the path to patches appear in the patch command-line with -B .pc/$path, a carefully crafted path could lead patch to overwrite an arbitrary file outside of the destination directory with a file provided in the source package.
Diffstat (limited to 'scripts/Dpkg/Source/Package/V3/quilt.pm')
-rw-r--r--scripts/Dpkg/Source/Package/V3/quilt.pm1
1 files changed, 1 insertions, 0 deletions
diff --git a/scripts/Dpkg/Source/Package/V3/quilt.pm b/scripts/Dpkg/Source/Package/V3/quilt.pm
index 698b747d1..58c494b37 100644
--- a/scripts/Dpkg/Source/Package/V3/quilt.pm
+++ b/scripts/Dpkg/Source/Package/V3/quilt.pm
@@ -123,6 +123,7 @@ sub read_patch_list {
}
}
next if $opts{"skip_auto"} and $_ eq $auto_patch;
+ error(_g("%s contains an insecure path: %s"), $file, $_) if m{(^|/)\.\./};
push @patches, $_;
}
close(SERIES);