From patchwork Fri Jun 5 22:08:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89385 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C660CD6E7E for ; Fri, 5 Jun 2026 22:09:23 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5922.1780697362274888623 for ; Fri, 05 Jun 2026 15:09:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=dgbLy2ch; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-490c0c92cffso14310715e9.2 for ; Fri, 05 Jun 2026 15:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697361; x=1781302161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=l5Atl+1fMK/3RBPC/KwxUpyRt6FtwndRlz+yj2srlgc=; b=dgbLy2chQGWf3HWA6EXDEPUvmb8iItMA0qKce1a6Mw8k79NgOO816nzUF9b/k671/B UD6YEFqJa4CX3GnaRGUQi0maPDc9aPVS7n9PcR9W8sNrNP/B7Cm9+TAexsdyWVfgsU4/ l+iKfYBV/iGNg4/jaOR65fhcVGZ1L5caFwE+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697361; x=1781302161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=l5Atl+1fMK/3RBPC/KwxUpyRt6FtwndRlz+yj2srlgc=; b=cEv38HE+5z5BKRaVNPolu/knFz7Yhxet6PLbrlw1J3EGA8Aot82m1p+WJP7v9vStFd BLkwf+oUZdMQPuNOzM3iF2STmTztX925S66+ltCYGBDHZ0W3mNy2UaZ/9VwcfV/GWuqS 0m6PLs+knWIYHcoxSNFhGuza1grD2jb/+vHG8VmEb6DM+fJydPG0lyCwpy8QaO5HHXB3 RCe4te3KcR33U0u/l3fHQPJqzm7voUEfVISU8YoYAbp+cW+fT+ZY5yJjInL9WikrwxNJ JSnLN6hdqVMwUyArTxbTGMebEwO08lQyQHRpgC/FybQQlvjcoy6+JZ9KP6NkLb7NWCZh 160w== X-Gm-Message-State: AOJu0Yy+zSDh8v721uOOZ6ECh/+85AhWjg3zwA84Qj2mW0Bav4SM0mIX T64BynOoOxznoAlMklz0dp2OLoY15TCwUBUQiXWn/STLA5VsMF8swLnNXtZGPDM+Aur1mUI2RYt L5xR2 X-Gm-Gg: Acq92OF0xWpMiTPaBRYpgmr2MjUbTMmoG2+Bp02OuNxI5o0h0rkXh5eqzGiyAc3z9gc UKCPt3SVIcCenRy1GnqYRjNs73E7ZN16fp1f0+Pgz7ntVFLLZhU1QquDc0OPH55uCdzj1cB4vKs KMVTGvOphqwWoLugLGiSIfekmnkdig6lPHcKwEobVK7zNTSciKlJ/NxPZRSP/2WImVE++vFukcI 88Fugr/9DmdzULjh8MFYplLHnRZ2GTEBOg2MAo4G+3/kiDjzps4qL+5qnQOpNNZyArfbMq6C8eX zk+t6h6OmXmT5BsPouzylrcJzvsvtj9qbNDO033yH/PWjvYoaI5d0QvxNTrywW7vbtszQA0cvYR lhfzwdIyTAZfyBPvQRlISKgXKddDRLcoryPxR2HwcAWUVSJXBLQtkiy6NROkmrSrFzxuilF//nT xyvBYe13vdK39K87uOTKJn7Qr1Uh0caUZPcz/Wi8qJIuE+6HHaDuo8vVuDu13UrPk+bjT2GKMpK KXGd1hz+xKa6ipSKnFrgp7DzB8BttT4gls1Cspx3oZYWF98Jw== X-Received: by 2002:a05:600c:81c9:b0:490:bd66:db49 with SMTP id 5b1f17b1804b1-490c25a1e20mr78308435e9.12.1780697360656; Fri, 05 Jun 2026 15:09:20 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490bc3fd502sm182367015e9.11.2026.06.05.15.09.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:09:20 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][wrynose][2.18][PATCH 1/4] fetch2: validate deb/ipk data member names Date: Sat, 6 Jun 2026 00:08:55 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:09:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19617 From: Anders Heimer The deb/ipk unpack path selects a data archive member from 'ar -t' output and then passes that member name to a shell command. Previously, any member beginning with data.tar. was selected. Only select known deb/ipk data archive member names when datafile is created. Quote the package path used in the shell command as it can come from the local fetch path. Add local fetcher regression coverage for quoted package filenames, valid compressed data members, and unsupported or unsafe data member names. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 73ae3a2447ec93df39bc66cf3d8f9b2ea1bfe3bf) Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 10 +++++--- lib/bb/tests/fetch.py | 53 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 52d5556d3..fc641655e 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -23,6 +23,7 @@ import collections import subprocess import pickle import errno +import shlex import bb.utils import bb.checksum import bb.process @@ -1589,16 +1590,19 @@ class FetchMethod(object): elif file.endswith('.deb') or file.endswith('.ipk'): output = subprocess.check_output(['ar', '-t', file], preexec_fn=subprocess_setup) datafile = None + valid_datafiles = ('data.tar', 'data.tar.gz', 'data.tar.xz', + 'data.tar.zst', 'data.tar.bz2', 'data.tar.lzma') if output: for line in output.decode().splitlines(): - if line.startswith('data.tar.') or line == 'data.tar': + if line in valid_datafiles: datafile = line break else: - raise UnpackError("Unable to unpack deb/ipk package - does not contain data.tar* file", urldata.url) + raise UnpackError("Unable to unpack deb/ipk package - does not contain supported data.tar* file", urldata.url) else: raise UnpackError("Unable to unpack deb/ipk package - could not list contents", urldata.url) - cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (file, datafile, tar_cmd, datafile, datafile) + quoted_datafile = shlex.quote(datafile) + cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (shlex.quote(file), quoted_datafile, tar_cmd, quoted_datafile, quoted_datafile) # If 'subdir' param exists, create a dir and use it as destination for unpack cmd if 'subdir' in urldata.parm: diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 077f741e1..869a82a99 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -16,6 +16,7 @@ import tempfile import collections import os import signal +import subprocess import tarfile from bb.fetch2 import URI import bb @@ -740,6 +741,34 @@ class FetcherLocalTest(FetcherTest): bb.process.run('tar cjf archive.tar.bz2 -C dir .', cwd=self.localsrcdir) self.d.setVar("FILESPATH", self.localsrcdir) + def make_ar_package(self, package_name, data_member="data.tar"): + if not shutil.which("ar"): + self.skipTest("ar not installed") + + workdir = tempfile.mkdtemp(dir=self.tempdir) + payload = os.path.join(workdir, "payload") + with open(payload, "w") as f: + f.write("payload\n") + + data_path = os.path.join(workdir, data_member) + mode = "w:gz" if data_member.endswith(".gz") else "w" + with tarfile.open(data_path, mode) as archive: + archive.add(payload, arcname="payload") + + with open(os.path.join(workdir, "debian-binary"), "w") as f: + f.write("2.0\n") + + control = os.path.join(workdir, "control") + with open(control, "w") as f: + f.write("Package: fetch-test\nVersion: 1\nArchitecture: all\n") + with tarfile.open(os.path.join(workdir, "control.tar"), "w") as archive: + archive.add(control, arcname="control") + + package_path = os.path.join(self.localsrcdir, package_name) + subprocess.check_call(["ar", "r", package_path, "debian-binary", "control.tar", data_member], + cwd=workdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + return package_name + def fetchUnpack(self, uris): fetcher = bb.fetch.Fetch(uris, self.d) fetcher.download() @@ -813,6 +842,30 @@ class FetcherLocalTest(FetcherTest): tree = self.fetchUnpack(['file://archive.tar.bz2;subdir=bar;striplevel=1']) self.assertEqual(tree, ['bar/c', 'bar/d', 'bar/subdir/e']) + def test_local_deb_quoted_filename(self): + package = self.make_ar_package("archive$(id).deb") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_ipk_gz_data_member(self): + package = self.make_ar_package("archive.ipk", data_member="data.tar.gz") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_deb_rejects_unknown_data_member_suffix(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.foo") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + + def test_local_deb_rejects_unsafe_data_member(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.xz;id") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir, From patchwork Fri Jun 5 22:08:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89387 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40495CD6E6E for ; Fri, 5 Jun 2026 22:09:33 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5923.1780697362863903976 for ; Fri, 05 Jun 2026 15:09:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=L36cPJip; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-490b09e4cccso17749845e9.0 for ; Fri, 05 Jun 2026 15:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697361; x=1781302161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C5bbzW5U3bjqYiMTj4pkGq2mSi01L581etCYv4nhpaM=; b=L36cPJip4D2jw77FB8kx/3xWd7z3CX4akdcK2xFRYdsG896xY99DtdmGkMYGhiRn9x Iqxx7xY0QWmvBVPQOj7msj+4IMkx7Z3Frzc4TVP7hKEZ4ykmwV6onaA0JGxe6I7K/gWs yTIaKqwaQ9ykTs+TYRUtQ5bg0GxKXfppjBIbg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697361; x=1781302161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=C5bbzW5U3bjqYiMTj4pkGq2mSi01L581etCYv4nhpaM=; b=aztQELMeIEDub1ly/miqjwOoVk9Wh7pXY5aQ0rRH3euf0aLprQB0NRYLqWwqAUoRj9 q2yxWq/x89dv20fhT2+d5kTS8tHG5q8V5dC9CXyo41Et+Up0x7J4NlJGRuFevEqj/2+H lv8g2BkEZ1xBJ8bZv7QpoAHqvpC5rK9X4zJp8U9rAreaHCJ6rLrK/oOAdYrZvT2uyXuZ w2nArLBTiqBqeiKJIxCy8xvOfNkWO/PmKVWQ1yGhmeQA7uN90LYRV9cKCTg97zplQWfu 096dS69912/0NYs1ppx5qQHgcaHf1cQ4tlUUW4zH1ppy/7xm/HG1O+ZGmav7s4mUOpO8 ikDg== X-Gm-Message-State: AOJu0Yy8rMWUU6hoMQApFLwm7RuV560qQKJjPdSZU3S1RWYJq4+nOO+W wQz1yiwCratPE0esKV6JuZXNbeI5O0WJK20HYgURLAyGq3exYC2JkCc5TioCFlaDOoS2E9JMJhI wSnsG X-Gm-Gg: Acq92OErr1I/FRk3NtIS9bw5MV6JYGlZO2lcPu9r0jz58ou9nwrakKPhhbaUfwSi+K8 D3iCKdc5Kv4/cr+Ky+fYeRE3F+i+uCnQ2pB5EQ0UAuiYDt57bjF9vdIiYfNstoOh+93IhYfYQvm zhFGJs5NeDMRCHWccir+dXyVahkLS5Wdzl6HK8Hc0MqhNiIj5++wT969QNIRffaCIVWsGBd2SSZ JHZlgLP48Edfk5l/RLy0aqEsECwv15rnWDfzCJntKxu3iEr8RjMq53xw+sNCof0ckLZp5+dCtCE 4KIzCClbiCGuRkYakjQxqDq7SVXBo7mcaU7eIS+dQKCTIWZGqRelcdkk/+5DHFyZGXtm35ZLlCw xUuSKboc6mFQvL1vcJlosv7eHIE7zHN59amftLPgXwkGAxMov9OgYIgRKuRd4VhuOh3tklrcpcQ oSxoUJxITvXnfahMuteB6pISjxjdQt52kJAj+j2iwl4t6O0YYOPG2aDeLaQAJnRMNruoIAqdBSv VkqZAqzgxAi0qfKdTz1cUR18rA0up/cr3GSN+k= X-Received: by 2002:a05:600c:45d1:b0:490:51e2:bc86 with SMTP id 5b1f17b1804b1-490c260a60bmr89265155e9.23.1780697361230; Fri, 05 Jun 2026 15:09:21 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490bc3fd502sm182367015e9.11.2026.06.05.15.09.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:09:20 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][wrynose][2.18][PATCH 2/4] fetch2: validate striplevel parameter Date: Sat, 6 Jun 2026 00:08:56 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:09:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19618 From: Anders Heimer The striplevel URL parameter is appended to tar_cmd, which is later run through the shell. Validate it as a decimal count before using it in the tar arguments. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 934fe718bfe29c7ec921e6b598d81ec2ebe8f7c7) Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 5 ++++- lib/bb/tests/fetch.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index fc641655e..3d39a1eeb 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1542,7 +1542,10 @@ class FetchMethod(object): if unpack: tar_cmd = 'tar --extract --no-same-owner' if 'striplevel' in urldata.parm: - tar_cmd += ' --strip-components=%s' % urldata.parm['striplevel'] + striplevel = urldata.parm['striplevel'] + if not striplevel.isdigit(): + raise UnpackError("Invalid striplevel parameter: %s" % striplevel, urldata.url) + tar_cmd += ' --strip-components=%s' % striplevel if file.endswith('.tar'): cmd = '%s -f %s' % (tar_cmd, file) elif file.endswith('.tgz') or file.endswith('.tar.gz') or file.endswith('.tar.Z'): diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 869a82a99..589a4655e 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -866,6 +866,16 @@ class FetcherLocalTest(FetcherTest): self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def assertInvalidStriplevel(self, value): + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://archive.tar;subdir=bar;striplevel=%s' % value]) + self.assertIn("Invalid striplevel parameter", str(context.exception)) + + def test_local_striplevel_rejects_invalid_values(self): + for value in ("abc", "", "-1", "1\n", "1 2"): + with self.subTest(striplevel=repr(value)): + self.assertInvalidStriplevel(value) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir, From patchwork Fri Jun 5 22:08:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89388 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A699CD6E7C for ; Fri, 5 Jun 2026 22:09:33 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5925.1780697363458499794 for ; Fri, 05 Jun 2026 15:09:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=GUmeG7qQ; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-490b64c8311so27351085e9.3 for ; Fri, 05 Jun 2026 15:09:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697362; x=1781302162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HAXvcSdq55gnr4v2kgz/3OKXZwUTXkrQgLP1HfsohD4=; b=GUmeG7qQOZwmZeeg8GXzbqa7j9d1GdI6fu0Ov7PBo4trJuU8OcSAQRxlF1Y0dZ/oxk X4YnT8kbu6tlfmpRVTTEpjMWebCjSp0tqidDtWk8UQs4cqRvYcOP8Yp266K2fK7iHYD+ Y4+v7oSrMSwbpyNRKvVyT7p3pk3+9PQ2sXGRw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697362; x=1781302162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HAXvcSdq55gnr4v2kgz/3OKXZwUTXkrQgLP1HfsohD4=; b=NDLizYDgZr9AWnMOVRLT0RL0nwhaG7u/XRlY9cZf8iT5gxDWKIRuI4Vl8ZLtJfWsbA 2OS6j9Ze2u7++JLbE3RrZ18P6IDNEqlHFl1Zp05ntnZLnuYpRsqPCvqGwrlmAULDKys3 Qcesm5ClfZgjH5eG2Deo6O9lTvvn8+GxqHi0NpBJbheT6OCKqygT6tP9PGNQul9WXCYm mgjFVCO7c4j6unZwshNV5E4oCZ0j/DFcUKhlwMytNIBrVtr7AKcccLLORUdXrAQ/CChB CtPPwMu7v5+ie6h310FK27pbBOJ1gvaEt99iNkFJukLSeDy0vbP/vNMpYSkngH8edM+c r58A== X-Gm-Message-State: AOJu0YwUO0etvYEA8BY1NaQWfuVrZ0q7sc2S+7VxCzF7w5aXAHUw55JT Qd64j4SSLoUME/FY+CMSLQrmm7mRm1RFHz5Inp+3Pfe5umcIpkiYbesowJ4D2uFcknDP3b7eSXJ GRF5p X-Gm-Gg: Acq92OGc94Tyk/kCeYdZ+vD15UAYxhrv/YjJifELtSIon+q42jdZeNGf8uQvv4Wh3xX DKfpoegRW2FOLFp0N4KDz/E3vczn2oj1Kgv4dU7AHLH24jHtD6mISXV/7rGXyyQv/v051oxyK2d RWfzll0ZhOOMn/jEJhFp8VvIBWRNh9UF7AkMQCOt1vVRIFIq7NczixB5uj3XQjg3hDE72ePsrxS RCzienCZIMbPM7NUm61iLHUXsfehocv8ElCkR+4qPPjTVJAdlbLfOdkkpHOw9zsbgXuqaDGX+2i HwGehy7QLCQNp9Y8kb1eYr7s5fdA9xKJIkbSPTiUax5ZfFcyz8F+9ZP+vnYAu6v5hm3NBuY/Xda neV6a6iJ0mLSywARrTqeipNq9+UWDefU5mDUnnQGMBZ2NogxBgM5vae072khXjKX6YOy3V83mUW QdsJT/n+YhtrUS3I0xdu0BwqYAjNchkWBOXI2kt4OXYyVczY8A4kjTgQYia45voNt5Gbm8t2aCj eiSqB5pKKpqVHbD0ULpNazf03U0YunHFu1YSKk= X-Received: by 2002:a05:600c:6384:b0:490:acb8:1490 with SMTP id 5b1f17b1804b1-490c2591e5cmr88638005e9.4.1780697361893; Fri, 05 Jun 2026 15:09:21 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490bc3fd502sm182367015e9.11.2026.06.05.15.09.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:09:21 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][wrynose][2.18][PATCH 3/4] fetch2/git: quote shallow extra ref arguments Date: Sat, 6 Jun 2026 00:08:57 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:09:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19619 From: Anders Heimer BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs advertised by the remote are later passed to git fetch and update-ref while creating shallow tarballs. Quote the generated command arguments and pass the fetched ref after -- so shell metacharacters and option-like ref names are not interpreted as command syntax or git fetch options. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit e9a06f79d9ec767c9d95470be78b006d6fd0d59c) Signed-off-by: Yoann Congal --- lib/bb/fetch2/git.py | 6 ++++-- lib/bb/tests/fetch.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py index ecf4340b1..5134ec04c 100644 --- a/lib/bb/fetch2/git.py +++ b/lib/bb/fetch2/git.py @@ -645,9 +645,11 @@ class Git(FetchMethod): for ref in extra_refs: ref_fetch = ref.replace('refs/heads/', '').replace('refs/remotes/origin/', '').replace('refs/tags/', '') - runfetchcmd("%s fetch origin --depth 1 %s" % (ud.basecmd, ref_fetch), d, workdir=dest) + runfetchcmd("%s fetch origin --depth 1 -- %s" % + (ud.basecmd, shlex.quote(ref_fetch)), d, workdir=dest) revision = runfetchcmd("%s rev-parse FETCH_HEAD" % ud.basecmd, d, workdir=dest) - runfetchcmd("%s update-ref %s %s" % (ud.basecmd, ref, revision), d, workdir=dest) + runfetchcmd("%s update-ref %s %s" % + (ud.basecmd, shlex.quote(ref), revision), d, workdir=dest) # The url is local ud.clonedir, set it to upstream one runfetchcmd("%s remote set-url origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=dest) diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 589a4655e..cc133c1f5 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -2215,6 +2215,36 @@ class GitShallowTest(FetcherTest): self.assertRefs(['master', 'origin/master', 'v1.0']) self.assertRevCount(1) + def test_shallow_extra_refs_wildcard_shell_quoted(self): + self.add_empty_file('a') + marker = os.path.join(self.tempdir, 'ref-command-marker') + ref = 'refs/tags/poc;touch${IFS}%s' % marker + self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir) + + self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*') + self.fetch_shallow() + + self.assertFalse(os.path.exists(marker)) + self.assertRefs(['master', 'origin/master', ref]) + + def test_shallow_extra_refs_wildcard_fetch_options(self): + self.add_empty_file('a') + marker = os.path.join(self.tempdir, 'ref-option-marker') + helper = os.path.join(self.tempdir, 'upload-pack-helper') + with open(helper, 'w') as f: + f.write('#!/bin/sh\n') + f.write('touch "%s"\n' % marker) + f.write('exec git-upload-pack "$@"\n') + os.chmod(helper, 0o755) + ref = 'refs/tags/--upload-pack=%s' % helper + self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir) + + self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*') + self.fetch_shallow() + + self.assertFalse(os.path.exists(marker)) + self.assertRefs(['master', 'origin/master', ref]) + def test_shallow_missing_extra_refs(self): self.add_empty_file('a') self.add_empty_file('b') From patchwork Fri Jun 5 22:08:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89386 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40812CD6E7E for ; Fri, 5 Jun 2026 22:09:33 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5926.1780697364037366447 for ; Fri, 05 Jun 2026 15:09:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=TQYQGxb5; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-490b613a17bso23357585e9.3 for ; Fri, 05 Jun 2026 15:09:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697362; x=1781302162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NcTEzcEaZcPDMVmynXk3AYFKxrkw5WeUG+b0E2kD7D4=; b=TQYQGxb5ysyiPKpVxXyTQ+/+LejsdIGQKQNwz5ZmcjggIMYrV3kYcwwlr2mlsAdHz3 1iXz+1RauNCsm9cPN/RgLwmW2Ho0eGtMZqHGVjNqmZifF+AnQSArGNnJR5sNk3IkYjfN qv5xN5Zn2EJ8H8LzB/1tt6ODH5IBo9ly9p/kg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697362; x=1781302162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NcTEzcEaZcPDMVmynXk3AYFKxrkw5WeUG+b0E2kD7D4=; b=l7uWClheOEgn78VVPWlE2LccjyKkkk8yEMcFLmlqzaoH19VMtDRFFlCmGj9dV0V7ti 7te5lR2z1q855bzyzHl432lWEMYfcWya8eDSgNVmd0Gy/RE5ViFrSH44D/Fvtddb7Ufs cfJvjFKF9m4IQNbbew6Vz+xqYISZpUasXeosF6NOAA9i6UatjS9fs4FHwv2aRi0OHddp G7ZSR59xKvaq53sRl/loq48rdswyiqN/zGc6g3b2JyBQE4artBs/SlEKAXXSHtmI/iho ME2pCD4uaL/a9nU/4crpZDYt5iaEfOXUxdCF97KELxKoo2T/90dVwQDeM302ajV1uBc3 aHWw== X-Gm-Message-State: AOJu0YyJHhO7M+jHIMfPZmzSia5GuO1xhBx9LL8SAbHnl3Fun+ahZkY8 jQ6b9CZI7y6GRZmcJutphon3HoNdcMycAsSReqZGevmqaJb4ibXsdww5VB5WdyUSNF0cr4ShOoC q3Un8 X-Gm-Gg: Acq92OGBuYc+tH4igObQbUlAD3FtYJr0NSuAohbcgPQmsQgf1nyIoXTxIun61WTYjiW MJEGwD0bF29/5JMqWajjNw5gR5SchRUrdL0m7cGUUMEQiDza/OPp9U+EJHF+eHwBL0yNlc1HjJ4 T0eoMYfFFFk1nQ8BIbxvOusn/60g5YuMe1O2ddyROPlZ4gH7R3xdOizvCN8VP/DjvkyxdpGSJJk inRiKmpaZdiUKSG3PhAaEbV5XrXDTo36rEvjL9kJF4TIvqVPA85MWtToSdU6GvhiOCMhfkjnruO SP2FaqfbjqVwjd3UAJyqrk3I3+94dH2J6Dj45FnYs0eiCSeHHcGqi4g3/h8DMifjvmgf3LvH7U7 +JbN3NTZGhgmJc9YBcXubEtPMd6OV+clbptyO9qTAM0sr6iosiFDtKNVvZkzKf48NY33X44fHr7 P+wmWDKjXaFWLHYPo+vUO9TByNGtQgmZYe0aovEgAi/QcVuN8BOexy0c3PQdnGzieRaoBVjoryX dDWmXVWvjyRdynoPBFaW+N22xMEvN8bXCqPW8c= X-Received: by 2002:a05:600c:458a:b0:48a:525b:e148 with SMTP id 5b1f17b1804b1-490c25adb21mr99458955e9.4.1780697362477; Fri, 05 Jun 2026 15:09:22 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490bc3fd502sm182367015e9.11.2026.06.05.15.09.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:09:22 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][wrynose][2.18][PATCH 4/4] fetch2: Unpack RPMs with --no-absolute-filenames Date: Sat, 6 Jun 2026 00:08:58 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:09:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19620 From: Anders Heimer Use cpio --no-absolute-filenames when unpacking RPM and SRPM archives so absolute paths and parent-directory components in cpio member names are extracted relative to the intended unpack directory. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 1b1a71586aa93678c1d9ca40ef2c6fa518f89356) Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 3d39a1eeb..0e4f491ce 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1585,11 +1585,11 @@ class FetchMethod(object): elif file.endswith('.rpm') or file.endswith('.srpm'): if 'extract' in urldata.parm: unpack_file = urldata.parm.get('extract') - cmd = 'rpm2cpio.sh %s | cpio -id %s' % (file, unpack_file) + cmd = 'rpm2cpio.sh %s | cpio --no-absolute-filenames -id %s' % (file, unpack_file) iterate = True iterate_file = unpack_file else: - cmd = 'rpm2cpio.sh %s | cpio -id' % (file) + cmd = 'rpm2cpio.sh %s | cpio --no-absolute-filenames -id' % (file) elif file.endswith('.deb') or file.endswith('.ipk'): output = subprocess.check_output(['ar', '-t', file], preexec_fn=subprocess_setup) datafile = None