|
@@ -18,6 +18,8 @@ import (
|
|
|
// ApplyLayer parses a diff in the standard layer format from `layer`, and
|
|
// ApplyLayer parses a diff in the standard layer format from `layer`, and
|
|
|
// applies it to the directory `dest`.
|
|
// applies it to the directory `dest`.
|
|
|
func ApplyLayer(dest string, layer ArchiveReader) error {
|
|
func ApplyLayer(dest string, layer ArchiveReader) error {
|
|
|
|
|
+ dest = filepath.Clean(dest)
|
|
|
|
|
+
|
|
|
// We need to be able to set any perms
|
|
// We need to be able to set any perms
|
|
|
oldmask, err := system.Umask(0)
|
|
oldmask, err := system.Umask(0)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
@@ -91,6 +93,12 @@ func ApplyLayer(dest string, layer ArchiveReader) error {
|
|
|
|
|
|
|
|
path := filepath.Join(dest, hdr.Name)
|
|
path := filepath.Join(dest, hdr.Name)
|
|
|
base := filepath.Base(path)
|
|
base := filepath.Base(path)
|
|
|
|
|
+
|
|
|
|
|
+ // Prevent symlink breakout
|
|
|
|
|
+ if !strings.HasPrefix(path, dest) {
|
|
|
|
|
+ return breakoutError(fmt.Errorf("%q is outside of %q", path, dest))
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
if strings.HasPrefix(base, ".wh.") {
|
|
if strings.HasPrefix(base, ".wh.") {
|
|
|
originalBase := base[len(".wh."):]
|
|
originalBase := base[len(".wh."):]
|
|
|
originalPath := filepath.Join(filepath.Dir(path), originalBase)
|
|
originalPath := filepath.Join(filepath.Dir(path), originalBase)
|
Tibor Vass