From 1c4eb2022cb84e9b467fd7bc0df1a374670fe027 Mon Sep 17 00:00:00 2001 From: Michael Gmelin Date: Sun, 8 Dec 2024 18:23:29 +0100 Subject: [PATCH] sysutils/iocage-devel: Fix fetch release command See also: https://github.com/freebsd/iocage/pull/55 (cherry picked from commit ecf7e0e97e773f835506fcf54642790b15c492f9) --- sysutils/iocage-devel/Makefile | 2 +- .../files/patch-iocage__lib_ioc__fetch.py | 33 +++++++++++++++---- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/sysutils/iocage-devel/Makefile b/sysutils/iocage-devel/Makefile index 33f0fa9dc05ef..5db822ced3dec 100644 --- a/sysutils/iocage-devel/Makefile +++ b/sysutils/iocage-devel/Makefile @@ -1,6 +1,6 @@ PORTNAME= iocage-devel PORTVERSION= 1.7.20240618 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= sysutils python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py index 73d8b6e580687..d5697b9205af6 100644 --- a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py +++ b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py @@ -1,22 +1,41 @@ --- iocage_lib/ioc_fetch.py.orig 2024-09-20 06:45:27 UTC +++ iocage_lib/ioc_fetch.py -@@ -47,7 +47,10 @@ import iocage_lib.ioc_start +@@ -47,6 +47,29 @@ import iocage_lib.ioc_start from iocage_lib.pools import Pool from iocage_lib.dataset import Dataset -+# deliberately crash if tarfile doesn't have required filter -+tarfile.tar_filter ++# taken from tarfile.tar_filter (and _get_filtered_attrs) ++# basically the same, but **without**: ++# - Clear high mode bits (setuid, setgid, sticky) and ++# group/other write bits (S_IWGRP | S_IWOTH). ++def untar_release_filter(member, dest_path): ++ new_attrs = {} ++ name = member.name ++ dest_path = os.path.realpath(dest_path) ++ # Strip leading / (tar's directory separator) from filenames. ++ # Include os.sep (target OS directory separator) as well. ++ if name.startswith(('/', os.sep)): ++ name = new_attrs['name'] = member.path.lstrip('/' + os.sep) ++ if os.path.isabs(name): ++ # Path is absolute even after stripping. ++ # For example, 'C:/foo' on Windows. ++ raise tarfile.AbsolutePathError(member) ++ # Ensure we stay in the destination ++ target_path = os.path.realpath(os.path.join(dest_path, name)) ++ if os.path.commonpath([target_path, dest_path]) != dest_path: ++ raise tarfile.OutsideDestinationError(member, target_path) ++ if new_attrs: ++ return member.replace(**new_attrs, deep=False) ++ return member -+ class IOCFetch: - """Fetch a RELEASE for use as a jail base.""" -@@ -817,7 +820,7 @@ class IOCFetch: +@@ -817,7 +840,7 @@ class IOCFetch: # removing them first. member = self.__fetch_extract_remove__(f) member = self.__fetch_check_members__(member) - f.extractall(dest, members=member) -+ f.extractall(dest, members=member, filter='tar') ++ f.extractall(dest, members=member, filter=untar_release_filter) def fetch_update(self, cli=False, uuid=None): """This calls 'freebsd-update' to update the fetched RELEASE."""