| From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 |
| From: Johannes Schindelin <Johannes.Schindelin@gmx.de> |
| Date: Thu Mar 9 16:02:54 2023 +0100 |
| Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it |
| exists |
| |
| The `git apply --reject` is expected to write out `.rej` files in case |
| one or more hunks fail to apply cleanly. Historically, the command |
| overwrites any existing `.rej` files. The idea being that |
| apply/reject/edit cycles are relatively common, and the generated `.rej` |
| files are not considered precious. |
| |
| But the command does not overwrite existing `.rej` symbolic links, and |
| instead follows them. This is unsafe because the same patch could |
| potentially create such a symbolic link and point at arbitrary paths |
| outside the current worktree, and `git apply` would write the contents |
| of the `.rej` file into that location. |
| |
| Therefore, let's make sure that any existing `.rej` file or symbolic |
| link is removed before writing it. |
| |
| Reported-by: RyotaK <ryotak.mail@gmail.com> |
| Helped-by: Taylor Blau <me@ttaylorr.com> |
| Helped-by: Junio C Hamano <gitster@pobox.com> |
| Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> |
| Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> |
| |
| CVE: CVE-2023-25652 |
| Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] |
| |
| Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> |
| --- |
| apply.c | 14 ++++++++++++-- |
| t/t4115-apply-symlink.sh | 15 +++++++++++++++ |
| 2 files changed, 27 insertions(+), 2 deletions(-) |
| |
| diff --git a/apply.c b/apply.c |
| index fc6f484..47f2686 100644 |
| --- a/apply.c |
| +++ b/apply.c |
| @@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) |
| FILE *rej; |
| char namebuf[PATH_MAX]; |
| struct fragment *frag; |
| - int cnt = 0; |
| + int fd, cnt = 0; |
| struct strbuf sb = STRBUF_INIT; |
| |
| for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { |
| @@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) |
| memcpy(namebuf, patch->new_name, cnt); |
| memcpy(namebuf + cnt, ".rej", 5); |
| |
| - rej = fopen(namebuf, "w"); |
| + fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); |
| + if (fd < 0) { |
| + if (errno != EEXIST) |
| + return error_errno(_("cannot open %s"), namebuf); |
| + if (unlink(namebuf)) |
| + return error_errno(_("cannot unlink '%s'"), namebuf); |
| + fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); |
| + if (fd < 0) |
| + return error_errno(_("cannot open %s"), namebuf); |
| + } |
| + rej = fdopen(fd, "w"); |
| if (!rej) |
| return error_errno(_("cannot open %s"), namebuf); |
| |
| diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh |
| index 65ac7df..e95e6d4 100755 |
| --- a/t/t4115-apply-symlink.sh |
| +++ b/t/t4115-apply-symlink.sh |
| @@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' |
| test_path_is_file .git/delete-me |
| ' |
| |
| +test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' |
| + test_when_finished "git reset --hard && git clean -dfx" && |
| + |
| + test_commit file && |
| + echo modified >file.t && |
| + git diff -- file.t >patch && |
| + echo modified-again >file.t && |
| + |
| + ln -s foo file.t.rej && |
| + test_must_fail git apply patch --reject 2>err && |
| + test_i18ngrep "Rejected hunk" err && |
| + test_path_is_missing foo && |
| + test_path_is_file file.t.rej |
| +' |
| + |
| test_done |
| -- |
| 2.40.0 |