@@ -1545,7 +1545,10 @@ class FetchMethod(object):
if unpack:
tar_cmd = 'tar --extract --no-same-owner'
if 'striplevel' in urldata.parm:
- tar_cmd += ' --strip-components=%s' % urldata.parm['striplevel']
+ striplevel = urldata.parm['striplevel']
+ if not striplevel.isdigit():
+ raise UnpackError("Invalid striplevel parameter: %s" % striplevel, urldata.url)
+ tar_cmd += ' --strip-components=%s' % striplevel
if file.endswith('.tar'):
cmd = '%s -f %s' % (tar_cmd, file)
elif file.endswith('.tgz') or file.endswith('.tar.gz') or file.endswith('.tar.Z'):
@@ -866,6 +866,16 @@ class FetcherLocalTest(FetcherTest):
self.assertIn("does not contain supported data.tar* file", str(context.exception))
+ def assertInvalidStriplevel(self, value):
+ with self.assertRaises(bb.fetch2.UnpackError) as context:
+ self.fetchUnpack(['file://archive.tar;subdir=bar;striplevel=%s' % value])
+ self.assertIn("Invalid striplevel parameter", str(context.exception))
+
+ def test_local_striplevel_rejects_invalid_values(self):
+ for value in ("abc", "", "-1", "1\n", "1 2"):
+ with self.subTest(striplevel=repr(value)):
+ self.assertInvalidStriplevel(value)
+
def dummyGitTest(self, suffix):
# Create dummy local Git repo
src_dir = tempfile.mkdtemp(dir=self.tempdir,
The striplevel URL parameter is appended to tar_cmd, which is later run through the shell. Validate it as a decimal count before using it in the tar arguments. Signed-off-by: Anders Heimer <anders.heimer@est.tech> --- lib/bb/fetch2/__init__.py | 5 ++++- lib/bb/tests/fetch.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-)