From a79c54418baf9b9785123bd07f350f12bd729ed3 Mon Sep 17 00:00:00 2001
From: lethliel <mstrigl@suse.de>
Date: Wed, 27 May 2020 09:40:16 +0200
Subject: [PATCH] fix security issue (bsc#1122675) no / in filename

This checks if the filename of a downloaded file has
been modified (for example by a MITM attack) to contain
slashes. This could mean that the file is compromised
and that the attacker tries to overwrite system files.
---
 osc/fetch.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/osc/fetch.py b/osc/fetch.py
index a0a8e8d9..1a70c4e5 100644
--- a/osc/fetch.py
+++ b/osc/fetch.py
@@ -179,8 +179,11 @@ class Fetcher:
                     print('Unsupported file type: ', tmpfile, file=sys.stderr)
                     sys.exit(1)
                 canonname = pac_obj.binary
+        decoded_canonname = decode_it(canonname)
+        if b'/' in canonname or '/' in decoded_canonname:
+            raise oscerr.OscIOError(None, 'canonname contains a slash')
 
-        fullfilename = os.path.join(destdir, decode_it(canonname))
+        fullfilename = os.path.join(destdir, decoded_canonname)
         if pac_obj is not None:
             pac_obj.canonname = canonname
             pac_obj.fullfilename = fullfilename