New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 807286 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 632390


Participants' hotlists:
good-first-depot-tools-bugs


Sign in to add a comment

download_from_google_storage overzealous forbidding files with ".."

Project Member Reported by machenb...@chromium.org, Jan 30 2018

Issue description

In https://codereview.chromium.org/1285423002 a check was added that forbids the substring '..' to appear in tar file paths.

Sadly e.g. the mips toolchain contains lots of normal files starting with .. as a prefix of the filename.

See toolchain archives at https://www.mips.com/develop/tools/codescape-mips-sdk/download-codescape-mips-sdk-essentials/

For now I work around this by deleting all those files before uploading.
 

Comment 1 by ricow@chromium.org, Jan 31 2018

I think the reason for this was that we did not want the tool to be able to spray files around random places on your hard-drive.
I will leave it up to hinoka@ to decide if we can relax this.
It should probably only check for '../' + windows robustness. Or call some combo of normpath + relpath to check if paths are outside of the base path.

Comment 3 by hinoka@chromium.org, Jan 31 2018

Components: -Infra Infra>SDK
Status: Available (was: Untriaged)
Yes I think we can relax this to only check for "../".
Owner: aga...@chromium.org
Status: Started (was: Available)
https://chromium-review.googlesource.com/#/c/chromium/tools/depot_tools/+/912430

Comment 5 by aga...@chromium.org, Feb 12 2018

Status: Fixed (was: Started)
Project Member

Comment 6 by bugdroid1@chromium.org, Feb 12 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/tools/depot_tools/+/22b540d0658e7608d8695c68925e91174538bdb5

commit 22b540d0658e7608d8695c68925e91174538bdb5
Author: Aaron Gable <agable@chromium.org>
Date: Mon Feb 12 18:30:43 2018

download_from_google_storage: allow normal files with ..

Although we want to prevent dfgs from untar'ing files to a parent
or sibling of its target directory, normal files that just happen
to have ".." in their name (i.e. not preceding a path separator) are
okay.

R=hinoka

Bug:  807286 
Change-Id: Ibdc2c3615c4778ef66abceb532a4f671fbdab8ef
Reviewed-on: https://chromium-review.googlesource.com/912430
Reviewed-by: Ryan Tseng <hinoka@chromium.org>
Commit-Queue: Aaron Gable <agable@chromium.org>

[modify] https://crrev.com/22b540d0658e7608d8695c68925e91174538bdb5/tests/download_from_google_storage_unittest.py
[modify] https://crrev.com/22b540d0658e7608d8695c68925e91174538bdb5/download_from_google_storage.py

Status: Verified (was: Fixed)
Thanks!

Sign in to add a comment