techtonik
Support for patches that add or remove files
I noticed that patch.py does not support patches that add or remove files.
Following patch against v245 adds support for this.
Original issue reported on code.google.com by [email protected] on 12 Dec 2014 at 4:25
Attachments:
Very nice! would you mind adding a few tests to your patch?
Original comment by [email protected] on 12 Dec 2014 at 5:39
Hi, this update contains the support for new files and deleting of files and
also has a testcase for it.
Original comment by [email protected] on 14 Dec 2014 at 6:13
Attachments:
Hello. I was wondering if there was any timescale for applying and making a release with the create/remove functionality. I'd love to use patch.py (just testing it out for the first time today), and this is a blocker. Is there anything missing in the last patch attached here which is lacking/missing which you need a hand with?
Kind regards, Roger
@rleigh-dundee hi, glad you find it useful. The last patch lacks a proper security research:
- that created files do not fall outside of scope of patch local directory
- that API still allows to use patches with absolute paths if people really need them
Patching existing files is already a danger, but creating them opens several new attack vectors. I am not getting time for it, because I am actively looking for a solution to refill my living cost funds, and so far no proposal included the work on patch.py
Actionable items include:
- review that filename normalization function is secure https://github.com/techtonik/python-patch/blob/e659ebd079157418e13ba36a64cfd90bb21d62e3/patch.py#L683
- write missing tests for it
- run it against existing test suites for filename sanitization (and find those suites)
