Fix the fix for CVE-2015-1196v2.7.3

* src/util.c (filename_is_safe): New function split off from name_is_valid(). (symlink_target_is_valid): Explain why we cannot have absolute symlinks or symlinks with ".." components for now. (move_file): Move absolute filename check here and explain. * tests/symlinks: Put test case with ".." symlink in comments for now. * NEWS: Add CVE number.
author: Andreas Gruenbacher <agruen@gnu.org> 2015-01-21 10:01:15 +0100
committer: Andreas Gruenbacher <agruen@gnu.org> 2015-01-22 21:51:51 +0100
commit: 41688ad8ef88bc296f3bed30b171ec73e5876b88 (patch)
tree: b2d4a9d3e31d2fec40e27f38dc85cd00bc6eaf1f /NEWS
parent: 17953b5893f7c9835f0dd2a704ba04e0371d2cbd (diff)
download: patch-41688ad8ef88bc296f3bed30b171ec73e5876b88.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index d3f1c2d..d79cead 100644
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,7 @@
   deleting".
 * Function names in hunks (from diff -p) are now preserved in reject files.
 * With git-style patches, symlinks that point outside the working directory
-  will no longer be created.
+  will no longer be created (CVE-2015-1196).
 
 Changes in version 2.7.1:
author	Andreas Gruenbacher <agruen@gnu.org>	2015-01-21 10:01:15 +0100
committer	Andreas Gruenbacher <agruen@gnu.org>	2015-01-22 21:51:51 +0100
commit	41688ad8ef88bc296f3bed30b171ec73e5876b88 (patch)
tree	b2d4a9d3e31d2fec40e27f38dc85cd00bc6eaf1f /NEWS
parent	17953b5893f7c9835f0dd2a704ba04e0371d2cbd (diff)
download	patch-41688ad8ef88bc296f3bed30b171ec73e5876b88.tar.gz