Make sure symlinks don't point outside working directory (CVE-2015-119)

When creating symlinks from git-style patches, make sure the symlinks don't
point above the current working directory.  Otherwise, a subsequent patch could
use the symlink to write outside the working directory.

* src/pch.c (symlink_target_is_valid): New function to check for valid symlink
targets.
* src/util.c (move_file): Use symlink_target_is_valid() here.
* tests/symlinks: Add valid and invalid symlink test cases.

5 files changed, 117 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 42afed7..d3f1c2d 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@
   differs from patch" instead of "File ... is not empty after patch; not
   deleting".
 * Function names in hunks (from diff -p) are now preserved in reject files.
+* With git-style patches, symlinks that point outside the working directory
+  will no longer be created.
 
 Changes in version 2.7.1:
 
diff --git a/src/pch.c b/src/pch.c
index 55e1504..f05ef83 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -454,6 +454,60 @@ name_is_valid (char const *name)
   return is_valid;
 }
 
+bool
+symlink_target_is_valid (char const *target, char const *to)
+{
+  bool is_valid;
+
+  if (IS_ABSOLUTE_FILE_NAME (to))
+    is_valid = true;
+  else if (IS_ABSOLUTE_FILE_NAME (target))
+    is_valid = false;
+  else
+    {
+      unsigned int depth = 0;
+      char const *t;
+
+      is_valid = true;
+      t = to;
+      while (*t)
+	{
+	  while (*t && ! ISSLASH (*t))
+	    t++;
+	  if (ISSLASH (*t))
+	    {
+	      while (ISSLASH (*t))
+		t++;
+	      depth++;
+	    }
+	}
+
+      t = target;
+      while (*t)
+	{
+	  if (*t == '.' && *++t == '.' && (! *++t || ISSLASH (*t)))
+	    {
+	      if (! depth--)
+		{
+		  is_valid = false;
+		  break;
+		}
+	    }
+	  else
+	    {
+	      while (*t && ! ISSLASH (*t))
+		t++;
+	      depth++;
+	    }
+	  while (ISSLASH (*t))
+	    t++;
+	}
+    }
+
+  /* Allow any symlink target if we are in the filesystem root.  */
+  return is_valid || cwd_is_root (to);
+}
+
 /* Determine what kind of diff is in the remaining part of the patch file. */
 
 static enum diff
diff --git a/src/pch.h b/src/pch.h
index 0c7ff62..58861b0 100644
--- a/src/pch.h
+++ b/src/pch.h
@@ -37,6 +37,7 @@ bool pch_write_line (lin, FILE *);
 bool there_is_another_patch (bool, mode_t *);
 char *pfetch (lin) _GL_ATTRIBUTE_PURE;
 char pch_char (lin) _GL_ATTRIBUTE_PURE;
+bool symlink_target_is_valid (char const *, char const *);
 int another_hunk (enum diff, bool);
 int pch_says_nonexistent (bool) _GL_ATTRIBUTE_PURE;
 size_t pch_line_len (lin) _GL_ATTRIBUTE_PURE;
diff --git a/src/util.c b/src/util.c
index 66ae90f..636eded 100644
--- a/src/util.c
+++ b/src/util.c
@@ -466,6 +466,13 @@ move_file (char const *from, bool *from_needs_removal,
 	    read_fatal ();
 	  buffer[size] = 0;
 
+	  if (! symlink_target_is_valid (buffer, to))
+	    {
+	      fprintf (stderr, "symbolic link target '%s' is invalid\n",
+		       buffer);
+	      fatal_exit (0);
+	    }
+
 	  if (! backup)
 	    {
 	      if (unlink (to) == 0)
diff --git a/tests/symlinks b/tests/symlinks
index 96626b3..6211026 100644
--- a/tests/symlinks
+++ b/tests/symlinks
@@ -146,6 +146,59 @@ ncheck 'test ! -L symlink'
 
 # --------------------------------------------------------------
 
+# Patch should not create symlinks which point outside the working directory.
+
+cat > symlink-target.diff <<EOF
+diff --git a/dir/foo b/dir/foo
+new file mode 120000
+index 0000000..cad2309
+--- /dev/null
++++ b/dir/foo
+@@ -0,0 +1 @@
++../foo
+\ No newline at end of file
+EOF
+
+check 'patch -p1 < symlink-target.diff || echo "Status: $?"' <<EOF
+patching symbolic link dir/foo
+EOF
+
+cat > bad-symlink-target1.diff <<EOF
+diff --git a/bar b/bar
+new file mode 120000
+index 0000000..cad2309
+--- /dev/null
++++ b/bar
+@@ -0,0 +1 @@
++/bar
+\ No newline at end of file
+EOF
+
+check 'patch -p1 < bad-symlink-target1.diff || echo "Status: $?"' <<EOF
+patching symbolic link bar
+symbolic link target '/bar' is invalid
+Status: 2
+EOF
+
+cat > bad-symlink-target2.diff <<EOF
+diff --git a/baz b/baz
+new file mode 120000
+index 0000000..cad2309
+--- /dev/null
++++ b/baz
+@@ -0,0 +1 @@
++../baz
+\ No newline at end of file
+EOF
+
+check 'patch -p1 < bad-symlink-target2.diff || echo "Status: $?"' <<EOF
+patching symbolic link baz
+symbolic link target '../baz' is invalid
+Status: 2
+EOF
+
+# --------------------------------------------------------------
+
 # The backup file of a new symlink is an empty regular file.
 
 check 'patch -p1 --backup < create-symlink.diff || echo "Status: $?"' <<EOF