Do not let a malicious patch create files above current directory

This addresses CVE-2010-4651, reported by Jakub Wilk.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
* src/util.c (strip_leading_slashes): Reject absolute file names
and file names containing a component of "..".
* tests/bad-filenames: New file.  Test for this.
* tests/Makefile.am (TESTS): Add it.
Improvements by Andreas Gruenbacher.

2 files changed, 13 insertions, 2 deletions

diff --git a/src/pch.c b/src/pch.c
index 1653ee4..8e64298 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -3,7 +3,7 @@
 /* Copyright (C) 1986, 1987, 1988 Larry Wall
 
    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
-   2002, 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
+   2002, 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
diff --git a/src/util.c b/src/util.c
index e03e48a..553cfbd 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3,7 +3,7 @@
 /* Copyright (C) 1986 Larry Wall
 
    Copyright (C) 1992, 1993, 1997, 1998, 1999, 2001, 2002, 2003, 2006,
-   2009, 2010 Free Software Foundation, Inc.
+   2009, 2010, 2011 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1415,6 +1415,17 @@ strip_leading_slashes (char *name, int strip_leading)
 	      n = p+1;
 	}
     }
+  if (IS_ABSOLUTE_FILE_NAME (n))
+    fatal ("rejecting absolute file name: %s", quotearg (n));
+  for (p = n; *p; )
+    {
+      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+	fatal ("rejecting file name with \"..\" component: %s", quotearg (n));
+      while (*p && ! ISSLASH (*p))
+	p++;
+      while (ISSLASH (*p))
+	p++;
+    }
   if ((strip_leading < 0 || s <= 0) && *n)
     {
       memmove (name, n, strlen (n) + 1);