Re: [bug-patch] patch rejects file names starting with '../' as "invalid"

[Andreas Grünbacher]

Bruno,

2017-01-12 17:05 GMT+01:00 Bruno Haible <address@hidden>:
> With patch 2.7.5 I have to make contortions in order to transport a set
> of hunks from one file to another:
>
> $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in
> Invalid file name ../callback/vacall_r/vacall_r.h.in -- skipping patch
>
> $ git diff vacall.h.in | (cd .. && patch callback/vacall_r/vacall_r.h.in)
> patching file callback/vacall_r/vacall_r.h.in
> Hunk #1 succeeded at 367 (offset -1 lines).
> Hunk #2 succeeded at 651 (offset -1 lines).
>
> This worked with 2.7.1, hence it is a regression:
>
> $ git diff vacall.h.in | patch ../callback/vacall_r/vacall_r.h.in
> patching file ../callback/vacall_r/vacall_r.h.in
> Hunk #1 succeeded at 367 (offset -1 lines).
> Hunk #2 succeeded at 651 (offset -1 lines).
>
> I fully agree that for security reasons, patch (like 'tar') should reject
> file names that start with '../' when they originate from the patch file
> (standard input in this case). But for file names given on the command line,
> there is no security risk.

I agree. This should actually be addressed by commit 83a3ed01 on
git://git.savannah.gnu.org/patch.git from last July already, can you
verify?

Thanks,
Andreas