mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

import: Avoid following symbolic links inside directories being imported

Browse source 
Too big a footgun.

This does not prevent attackers who can write to the directory being
imported from racing the check. But they can cause anything to be imported
anyway, so would be limited to getting the legacy import to follow into a
directory they do not write to, and move files out of it into the annex.
(The directory special remote does not have that problem since it does not
move files.)

Sponsored-by: Jack Hill on Patreon
This commit is contained in:
Joey Hess 2022-08-19 13:31:16 -04:00
parent 4ca8e95773
commit ed39979ac8
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
5 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CmdLine/Seek.hs
View file

@ -113,7 +113,7 @@ withPathContents a params = do
( map (\f ->
let f' = toRawFilePath f
in (f', P.makeRelative (P.takeDirectory (P.dropTrailingPathSeparator p')) f'))
<$> dirContentsRecursiveSkipping (".git" `isSuffixOf`) True p
<$> dirContentsRecursiveSkipping (".git" `isSuffixOf`) False p
, return [(p', P.takeFileName p')]
)
where