From: Jeff King <peff@peff.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH v2 4/4] apply: do not touch a file beyond a symbolic link
Date: Mon, 2 Feb 2015 21:04:42 -0500 [thread overview]
Message-ID: <20150203020440.GA4917@peff.net> (raw)
In-Reply-To: <xmqq61bjsqoo.fsf@gitster.dls.corp.google.com>
On Mon, Feb 02, 2015 at 05:56:55PM -0800, Junio C Hamano wrote:
> > I think this means we'll be
> > overly cautious with a patch that does:
> >
> > 1. add foo as a symlink
> >
> > 2. remove foo
> >
> > 3. add foo/bar
> >
> > which is perfectly OK
>
> No, such a patchset is broken.
>
> A valid "git apply" input must *not* depend on the order of patches
> in it. The consequence is that "an input to 'git apply' must not
> mention the fate of each path at most once."
Ah, right, I forgot we covered this already in the earlier discussion
(but thanks for elaborating; I think the reason I forgot is that I did
not really understand all of the implications). If we do not have to
worry about that, then it's not a problem.
> >> + /*
> >> + * An attempt to read from or delete a path that is beyond
> >> + * a symbolic link will be prevented by load_patch_target()
> >> + * that is called at the beginning of apply_data(). We need
> >> + * to make sure that the patch result is not deposited to
> >> + * a path that is beyond a symbolic link ourselves.
> >> + */
> >> + if (!patch->is_delete && path_is_beyond_symlink(patch->new_name))
> >> + return error(_("affected file '%s' is beyond a symbolic link"),
> >> + patch->new_name);
> >
> > Do we need to check the patch->is_delete case here (with patch->old_name)?
>
> > I had a suspicion that the new patch 3/4 to check the reading-side might
> > help with that, but the comment here sounds like we do need to check
> > here, too
>
> Hmm, the comment above was meant to tell you that we do not have to
> worry about the deletion case (because load_patch_target() will try
> to read the original to verify we are deleting what we expect to
> delete at the beginning of apply_data(), and it will notice that
> old_name is beyond a symbolic link), but we still need to check the
> non-deletion case. Strictly speaking, modify-in-place case does not
> have to depend on this code (the same load_patch_target() check will
> catch it because it wants to check the preimage).
>
> May need rephrasing to clarify but I thought it was clear enough.
Ah, OK. I totally misread it, thinking that load_patch_target was what
set up the symlink-table, and that was what you were referring to. It
might be more clear after "...that is called at the beginning of
apply_data()" to add "...so we do not have to worry about that case
here".
-Peff
next prev parent reply other threads:[~2015-02-03 2:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 23:27 [PATCH v2 0/4] "git apply" safety Junio C Hamano
2015-02-02 23:27 ` [PATCH v2 1/4] apply: reject input that touches outside $cwd Junio C Hamano
2015-02-03 0:45 ` Jeff King
2015-02-03 0:50 ` Jeff King
2015-02-03 20:23 ` Junio C Hamano
2015-02-03 21:01 ` Jeff King
2015-02-03 21:23 ` Junio C Hamano
2015-02-03 21:24 ` Jeff King
2015-02-03 21:40 ` Junio C Hamano
2015-02-03 21:50 ` Jeff King
2015-02-03 22:11 ` Junio C Hamano
2015-02-03 5:56 ` Torsten Bögershausen
2015-02-02 23:27 ` [PATCH v2 2/4] apply: do not read from the filesystem under --index Junio C Hamano
2015-02-02 23:27 ` [PATCH v2 3/4] apply: do not read from beyond a symbolic link Junio C Hamano
2015-02-03 0:08 ` Stefan Beller
2015-02-03 19:37 ` Junio C Hamano
2015-02-03 19:44 ` Stefan Beller
2015-02-03 20:31 ` Junio C Hamano
2015-02-02 23:27 ` [PATCH v2 4/4] apply: do not touch a file " Junio C Hamano
2015-02-03 1:11 ` Jeff King
2015-02-03 1:56 ` Junio C Hamano
2015-02-03 2:04 ` Jeff King [this message]
2015-02-03 21:01 ` Junio C Hamano
2015-02-03 23:40 ` Eric Sunshine
2015-02-04 0:44 ` [PATCH v3 0/4] "git apply" safety Junio C Hamano
2015-02-04 0:44 ` [PATCH v3 1/4] apply: reject input that touches outside the working area Junio C Hamano
2015-02-04 0:44 ` [PATCH v3 2/4] apply: do not read from the filesystem under --index Junio C Hamano
2015-02-04 0:44 ` [PATCH v3 3/4] apply: do not read from beyond a symbolic link Junio C Hamano
2015-02-04 0:44 ` [PATCH v3 4/4] apply: do not touch a file " Junio C Hamano
2015-02-10 22:36 ` [PATCH v4 0/4] "git apply" safety Junio C Hamano
2015-02-10 22:36 ` [PATCH v4 1/4] apply: reject input that touches outside the working area Junio C Hamano
2015-02-10 22:36 ` [PATCH v4 2/4] apply: do not read from the filesystem under --index Junio C Hamano
2015-02-10 22:36 ` [PATCH v4 3/4] apply: do not read from beyond a symbolic link Junio C Hamano
2015-02-10 22:36 ` [PATCH v4 4/4] apply: do not touch a file " Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203020440.GA4917@peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.