diff options
author | Andreas Gruenbacher <agruen@gnu.org> | 2015-01-21 10:01:15 +0100 |
---|---|---|
committer | Andreas Gruenbacher <agruen@gnu.org> | 2015-01-22 21:51:51 +0100 |
commit | 41688ad8ef88bc296f3bed30b171ec73e5876b88 (patch) | |
tree | b2d4a9d3e31d2fec40e27f38dc85cd00bc6eaf1f /NEWS | |
parent | 17953b5893f7c9835f0dd2a704ba04e0371d2cbd (diff) | |
download | patch-41688ad8ef88bc296f3bed30b171ec73e5876b88.tar.gz |
Fix the fix for CVE-2015-1196v2.7.3
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -4,7 +4,7 @@ deleting". * Function names in hunks (from diff -p) are now preserved in reject files. * With git-style patches, symlinks that point outside the working directory - will no longer be created. + will no longer be created (CVE-2015-1196). Changes in version 2.7.1: |