[elbe-devel] [PATCH 1/1] Fix Filesystem mkdir method

dion at linutronix.de dion at linutronix.de
Tue Jul 23 17:03:29 CEST 2019 

From: Olivier Dion <dion at linutronix.de>

If one of the component of the path is a symlink, the 'os.makedirs'
call fails.  Also, it leaks informations from the host to the target.

Using 'self.realpath' before calling 'os.makedirs' will ensure that:

  - Path has no symbolic link in its part
  - Path does not leak to another filesystem

This can easily be tested by using the 'armel-rescue-busybox-cpio'
example and adding the 'libjson-c3' package to the list of packages in
the target section.  Here's the expected traceback:
----------------------------------------------------------------------
Build failed
Traceback (most recent call last):
  File "/var/cache/elbe/devel/elbepack/asyncworker.py", line 158, in execute
    skip_pbuild=self.skip_pbuilder)
  File "/var/cache/elbe/devel/elbepack/elbeproject.py", line 546, in build
    self.log, self.get_rpcaptcache())
  File "/var/cache/elbe/devel/elbepack/efilesystem.py", line 79, in extract_target
    copy_filelist(src, file_list, dst)
  File "/var/cache/elbe/devel/elbepack/efilesystem.py", line 32, in copy_filelist
    dst.mkdir(f)
  File "/var/cache/elbe/devel/elbepack/filesystem.py", line 89, in mkdir
    os.makedirs(self.fname(path))
  File "/usr/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 2] No such file or directory: '/var/cache/elbe/e80a928e-443b-4801-b105-ddd29c48a1f3/target/lib/arm-linux-gnueabihf'

Exception:
[Errno 2] No such file or directory: '/var/cache/elbe/e80a928e-443b-4801-b105-ddd29c48a1f3/target/lib/arm-linux-gnueabihf'
----------------------------------------------------------------------

Signed-off-by: Olivier Dion <dion at linutronix.de>
---
 elbepack/filesystem.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elbepack/filesystem.py b/elbepack/filesystem.py
index e3076250..d7ed4b21 100644
--- a/elbepack/filesystem.py
+++ b/elbepack/filesystem.py
@@ -86,7 +86,7 @@ class Filesystem(object):
         return os.path.lexists(self.fname(path))
 
     def mkdir(self, path):
-        os.makedirs(self.fname(path))
+        os.makedirs(self.realpath(path))
 
     def readlink(self, path):
         return os.readlink(self.fname(path))
-- 
2.11.0

More information about the elbe-devel mailing list