Merge pull request #797 from lethliel/fix_1122675

fix security issue (bsc#1122675) no / in filename
2025-09-06 21:28:42 +02:00 · 2020-05-27 11:23:49 +02:00
parent 3967133022 a79c54418b
commit fdcd606122
1 changed files with 4 additions and 1 deletions
--- a/osc/fetch.py
+++ b/osc/fetch.py
@@ -179,8 +179,11 @@ class Fetcher:
                    print('Unsupported file type: ', tmpfile, file=sys.stderr)
                    sys.exit(1)
                canonname = pac_obj.binary
+        decoded_canonname = decode_it(canonname)
+        if b'/' in canonname or '/' in decoded_canonname:
+            raise oscerr.OscIOError(None, 'canonname contains a slash')

-        fullfilename = os.path.join(destdir, decode_it(canonname))
+        fullfilename = os.path.join(destdir, decoded_canonname)
        if pac_obj is not None:
            pac_obj.canonname = canonname
            pac_obj.fullfilename = fullfilename