summaryrefslogtreecommitdiff
path: root/builtin/apply.c
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2015-01-30 23:34:13 (GMT)
committerJunio C Hamano <gitster@pobox.com>2015-02-10 21:41:39 (GMT)
commitfdc2c3a926c21e24986677abd02c8bc568a5de32 (patch)
tree1ee77daa3090efe28fa2fc2659863fba6e2793d3 /builtin/apply.c
parent3c37a2e339e695c7cc41048fe0921cbc8b48b0f0 (diff)
downloadgit-fdc2c3a926c21e24986677abd02c8bc568a5de32.zip
git-fdc2c3a926c21e24986677abd02c8bc568a5de32.tar.gz
git-fdc2c3a926c21e24986677abd02c8bc568a5de32.tar.bz2
apply: do not read from beyond a symbolic link
We should reject a patch, whether it renames/copies dir/file to elsewhere with or without modificiation, or updates dir/file in place, if "dir/" part is actually a symbolic link to elsewhere, by making sure that the code to read the preimage does not read from a path that is beyond a symbolic link. Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin/apply.c')
-rw-r--r--builtin/apply.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/builtin/apply.c b/builtin/apply.c
index 21e45a0..422e4ce 100644
--- a/builtin/apply.c
+++ b/builtin/apply.c
@@ -3145,6 +3145,8 @@ static int load_patch_target(struct strbuf *buf,
return read_file_or_gitlink(ce, buf);
else
return SUBMODULE_PATCH_WITHOUT_INDEX;
+ } else if (has_symlink_leading_path(name, strlen(name))) {
+ return error(_("reading from '%s' beyond a symbolic link"), name);
} else {
if (read_old_data(st, name, buf))
return error(_("read of %s failed"), name);