From d54cf4dcbd668289deb0a2ef303b6c8c5a95561d Mon Sep 17 00:00:00 2001 From: Dmitry Rozhkov Date: Mon, 18 Apr 2016 11:43:03 +0300 Subject: [PATCH] staging.c: Protect tar command against special characters It may happen that a bundle contains a directory named '#' and other files under this directory, thus not only target files need to be escaped in tar commands, but also target directories where the files get installed. Also a target file may have a name with '@' as its first symbol. Since the symbol has a special meaning in case of bsdtar the name needs to escaped in tar commands with the prefix './'. Upstream-Status: Submitted [https://github.com/clearlinux/swupd-client/pull/43] Signed-off-by: Dmitry Rozhkov --- src/staging.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/staging.c b/src/staging.c index deae1c2..09945b6 100644 --- a/src/staging.c +++ b/src/staging.c @@ -148,8 +148,8 @@ int do_staging(struct file *file, struct manifest *MoM) ret = -errno; goto out; } - string_or_die(&tarcommand, TAR_COMMAND " -C %s " TAR_PERM_ATTR_ARGS " -cf - '%s' 2> /dev/null | " - TAR_COMMAND " -C %s%s " TAR_PERM_ATTR_ARGS " -xf - 2> /dev/null", + string_or_die(&tarcommand, TAR_COMMAND " -C '%s' " TAR_PERM_ATTR_ARGS " -cf - './%s' 2> /dev/null | " + TAR_COMMAND " -C '%s%s' " TAR_PERM_ATTR_ARGS " -xf - 2> /dev/null", rename_tmpdir, base, path_prefix, rel_dir); ret = system(tarcommand); if (WIFEXITED(ret)) { @@ -186,8 +186,8 @@ int do_staging(struct file *file, struct manifest *MoM) ret = -errno; goto out; } - string_or_die(&tarcommand, TAR_COMMAND " -C %s/staged " TAR_PERM_ATTR_ARGS " -cf - '.update.%s' 2> /dev/null | " - TAR_COMMAND " -C %s%s " TAR_PERM_ATTR_ARGS " -xf - 2> /dev/null", + string_or_die(&tarcommand, TAR_COMMAND " -C '%s/staged' " TAR_PERM_ATTR_ARGS " -cf - '.update.%s' 2> /dev/null | " + TAR_COMMAND " -C '%s%s' " TAR_PERM_ATTR_ARGS " -xf - 2> /dev/null", STATE_DIR, base, path_prefix, rel_dir); ret = system(tarcommand); if (WIFEXITED(ret)) {