Re: review of guillem/next/d-m-h-root

To: debian-dpkg@lists.debian.org, David Kalnischkies <david@kalnischkies.de>, Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
Subject: Re: review of guillem/next/d-m-h-root
From: Helmut Grohne <helmut@subdivi.de>
Date: Wed, 29 Apr 2020 11:52:54 +0200
Message-id: <[🔎] 20200429095254.GA22860@alf.mars>
Mail-followup-to: Helmut Grohne <helmut@subdivi.de>, debian-dpkg@lists.debian.org, David Kalnischkies <david@kalnischkies.de>, Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
In-reply-to: <20200429092808.GA1148783@thunder.hadrons.org>
References: <20200419053418.GA23273@alf.mars> <20200429092808.GA1148783@thunder.hadrons.org>

Hi Guillem,

On Wed, Apr 29, 2020 at 11:28:08AM +0200, Guillem Jover wrote:
> Thanks! I notice this is susceptible to directory traversals. I've
> amended it and added comments in the attached version. I'm thinking
> I'll need to add unit tests to cover for this among other similar
> issues.

I don't think your adaption is correct. Traversing the root directory is
actually supported. /../ resolves to /. Returning an error there is not
correct.

And yeah, moving this into some tool definitely seems in order.

Helmut

Reply to:

Follow-Ups:
- Re: review of guillem/next/d-m-h-root
  - From: Guillem Jover <guillem@debian.org>

Next by Date: Re: review of guillem/next/d-m-h-root
Next by thread: Re: review of guillem/next/d-m-h-root
Index(es):
- Date
- Thread