-
Notifications
You must be signed in to change notification settings - Fork 761
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sysutils/iocage: Fix fetch release command
See also: freebsd/iocage#55
- Loading branch information
Showing
2 changed files
with
27 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,41 @@ | ||
| --- iocage_lib/ioc_fetch.py.orig 2024-09-20 06:45:27 UTC | ||
| +++ iocage_lib/ioc_fetch.py | ||
| @@ -47,7 +47,10 @@ import iocage_lib.ioc_start | ||
| @@ -47,6 +47,29 @@ import iocage_lib.ioc_start | ||
| from iocage_lib.pools import Pool | ||
| from iocage_lib.dataset import Dataset | ||
|
|
||
| +# deliberately crash if tarfile doesn't have required filter | ||
| +tarfile.tar_filter | ||
| +# taken from tarfile.tar_filter (and _get_filtered_attrs) | ||
| +# basically the same, but **without**: | ||
| +# - Clear high mode bits (setuid, setgid, sticky) and | ||
| +# group/other write bits (S_IWGRP | S_IWOTH). | ||
| +def untar_release_filter(member, dest_path): | ||
| + new_attrs = {} | ||
| + name = member.name | ||
| + dest_path = os.path.realpath(dest_path) | ||
| + # Strip leading / (tar's directory separator) from filenames. | ||
| + # Include os.sep (target OS directory separator) as well. | ||
| + if name.startswith(('/', os.sep)): | ||
| + name = new_attrs['name'] = member.path.lstrip('/' + os.sep) | ||
| + if os.path.isabs(name): | ||
| + # Path is absolute even after stripping. | ||
| + # For example, 'C:/foo' on Windows. | ||
| + raise tarfile.AbsolutePathError(member) | ||
| + # Ensure we stay in the destination | ||
| + target_path = os.path.realpath(os.path.join(dest_path, name)) | ||
| + if os.path.commonpath([target_path, dest_path]) != dest_path: | ||
| + raise tarfile.OutsideDestinationError(member, target_path) | ||
| + if new_attrs: | ||
| + return member.replace(**new_attrs, deep=False) | ||
| + return member | ||
|
|
||
| + | ||
| class IOCFetch: | ||
|
|
||
| """Fetch a RELEASE for use as a jail base.""" | ||
| @@ -817,7 +820,7 @@ class IOCFetch: | ||
| @@ -817,7 +840,7 @@ class IOCFetch: | ||
| # removing them first. | ||
| member = self.__fetch_extract_remove__(f) | ||
| member = self.__fetch_check_members__(member) | ||
| - f.extractall(dest, members=member) | ||
| + f.extractall(dest, members=member, filter='tar') | ||
| + f.extractall(dest, members=member, filter=untar_release_filter) | ||
|
|
||
| def fetch_update(self, cli=False, uuid=None): | ||
| """This calls 'freebsd-update' to update the fetched RELEASE.""" |