[Python-apps-commits] r11706 - in packages/archmage/trunk/debian/patches (2 files)

[dottedmag at users.alioth.debian.org]

    Date: Monday, February 2, 2015 @ 08:53:05
  Author: dottedmag
Revision: 11706

Add fix for directory traversal bug
(Closes: #776164)

Added:
  packages/archmage/trunk/debian/patches/fix-directory-traversal.patch
Modified:
  packages/archmage/trunk/debian/patches/series

Added: packages/archmage/trunk/debian/patches/fix-directory-traversal.patch
===================================================================
--- packages/archmage/trunk/debian/patches/fix-directory-traversal.patch	                        (rev 0)
+++ packages/archmage/trunk/debian/patches/fix-directory-traversal.patch	2015-02-02 08:53:05 UTC (rev 11706)
@@ -0,0 +1,33 @@
+From 51e60c8eaef774cab152a54a87329a15530cd6eb Mon Sep 17 00:00:00 2001
+From: Mikhail Gusarov <dottedmag at dottedmag.net>
+Date: Sun, 25 Jan 2015 17:22:30 +0100
+Subject: [PATCH] Fix directory traversal bug (Debian #776164)
+
+---
+ archmod/CHM.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/archmod/CHM.py b/archmod/CHM.py
+index 78d6e5f..44113a5 100644
+--- a/archmod/CHM.py
++++ b/archmod/CHM.py
+@@ -26,6 +26,7 @@ except ImportError, msg:
+ from archmod.chmtotext import chmtotext
+ from archmod.htmldoc import htmldoc
+ 
++PARENT_RE = re.compile(r'(^|/|\\)\.\.(/|\\|$)')
+ 
+ class CHMDir(Cached):
+ 	"""Class that represent CHM content from directory"""
+@@ -222,6 +223,8 @@ class CHMDir(Cached):
+ 			# if entry is auxiliary file, than skip it
+ 			if re.match(self.aux_re, e):
+ 				continue
++			if PARENT_RE.search(e):
++				raise RuntimeError('Giving up on malicious name: %s' % e)
+ 			self.extract_entry(e, output_file=e, destdir=destdir, correct=correct)
+ 
+ 	def extract(self, destdir):
+-- 
+2.2.1
+

Modified: packages/archmage/trunk/debian/patches/series
===================================================================
--- packages/archmage/trunk/debian/patches/series	2015-02-02 00:54:45 UTC (rev 11705)
+++ packages/archmage/trunk/debian/patches/series	2015-02-02 08:53:05 UTC (rev 11706)
@@ -1 +1,2 @@
 python-interpreter.diff
+fix-directory-traversal.patch