3 patches for repository http://darcs.net/releases/branch-2.5:
Fri Jul 23 14:45:33 BST 2010 Eric Kow <kowey@darcs.net>
* Fix warnings in Darcs.Repository.HashedIO.
Wed Jan 19 15:32:32 GMT 2011 Eric Kow <kowey@darcs.net>
* Accept issue2035: malicious subpaths not caught.
Wed Jan 19 15:34:50 GMT 2011 Eric Kow <kowey@darcs.net>
* Resolve issue2035: Catch malicious subpaths.
A longer-term fix would be to change our subpath representation
to be components based (eg. like pathlib)
___________________________________________________________
This email has been scanned by MessageLabs' Email Security
System on behalf of the University of Brighton.
For more information see http://www.brighton.ac.uk/is/spam/
___________________________________________________________
This goes wrong on Windows:
http://buildbot.darcs.net/builders/6.10.4%20Vista%20RELEASE/builds/18/st
eps/test/logs/stdio
I can't immediately figure out the problem, but presumably it's to do
with a different definition of absolute paths. That raises two questions
for me:
1) Is /foo/bar really a safe path on Windows? I would expect it to go to
the root of the current drive, which doesn't seem good.
2) Should we have a test repo with a c:/ in it for use on Windows?
There's a straightforward fix for the test (don't grep for "malicious" -
the get fails on Windows but for other reasons).
I'll also make a test repo that has c:/ in it.
I pushed the followup that doesn't check for 'malicious' straight to
2.5.1 as it's trivial. I checked that repos with c: in them are also
correctly rejected on windows, and also that .. is (now) caught by darcs
too.
For various reasons the tests I wrote for those other things aren't in a
good state to submit/push yet, so I will probably leave those out of
2.5.1.