From patchwork Fri Jun 5 22:12:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89391 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C60CCD6E7C for ; Fri, 5 Jun 2026 22:12:53 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5972.1780697563263236895 for ; Fri, 05 Jun 2026 15:12:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=wlZwCZi0; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-45efa80e0afso1844142f8f.2 for ; Fri, 05 Jun 2026 15:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697562; x=1781302362; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ogLWri3rXVVY3NE9hPz9ea7ZKs0uTgP/N5Q/GLUwReg=; b=wlZwCZi0l8F2bBRQDc5+yu9l2SPH2uvI/hzvNVtp5U5j2ozTEnwI+AimkBiVF9B0XZ S7t/DnkSsLMMPYANmFKAJ9tdv5pLWFZsrObQqmm4KtHHhoMtHsq251iMgBc1WIilLldx rby+k0xXJKckNWak7oHkaOVjYn5iACq2BTGts= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697562; x=1781302362; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ogLWri3rXVVY3NE9hPz9ea7ZKs0uTgP/N5Q/GLUwReg=; b=dPxeIZjIySlYLo1j/YS7brAKOe7SYyFFZ/869hZ2EQSuXxz2AkvJF745WxV737u4tg fo9htVYM7bQinhVQdf06YBQ7GuGo9KHt+amFCOFLss5hwTdPyUBEMMbTKzDz9DeDfAwW tEehkJ4eftEvi+zCI3l7rF6lElq47LNDbgYmdjcl5wUA3qumdOmmkkKdqiOkHxW77aev pmcuKMWHrkEZ6RBiRHFdGmOPIQpcfVZePprBCTO5PT5AOQEjpzOG7NJ7oVuCjaB/K5u9 Iyesux7SOBqGNOaGf2Q76GBmKd3Lx625rZzPjrFvPtFym6cW7KlakuhwL80H9CaOAhZg dInw== X-Gm-Message-State: AOJu0Yzw/dRah6c4tgDAiAm6jI4obJQmBuHQKmVt493BC55JuDiFe7C6 u7XSHOaGW1wx4qsEAbg49xwkKQQeVpmlQGK9K1OeNiqIvXJAl3IHHU/yhm6Qc4DFnThki3b2iov IzBpm X-Gm-Gg: Acq92OE6uUscWWBfeSezE0GFHGS29KBz7v109QjFDTIWuBWzGrPOcxAkKnskTjvGfOV zp90bMp9qYllcGA3IwXPww/F6A3z8SU74Vx5vSbyvYo+H2dd4k434PVDEiuP0rXSUtAZLNQksFH iTHC/o+HgIFTr3OKT53SEP1NisHYrveU0sBFbcVzbOZdpi0v2NqdmXMojAP8tErkDzGSNF9iGPT uYz1b172pEY9e5bbBEGoHqjCxWyNPBTruVk+IaoZ/n6lXTjur1YBIspPxEmtmVRBI6uWGjWgtUl OGgLfHS+r4V5f19BwE5yrRx2CUebaWMI/40EJTQxgNAbVYj8g1vkkA2pUNmjWslsWZ6wLFLKC9I sMhDwoOOcVyjTp0f+xsneUjyceD1//ifNzMhTOBora9i/weeHjzUdiYgj5qJYnskliqehYkxX0H jyaoi/nZ+cVqt7T96wwJlfnrE0Y+u8yqz9QL1MXVWuFYjchJ3mi3rAO2pBE8Autak5JLu0TdrEV gYUsTnmM9o3c1pC3B27AgX61Mu1fnqZwFVTAiZggtvHvXkRow== X-Received: by 2002:adf:f911:0:b0:439:c18f:5aaf with SMTP id ffacd0b85a97d-460307625cbmr6553797f8f.34.1780697561609; Fri, 05 Jun 2026 15:12:41 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f2dcae2sm30770393f8f.6.2026.06.05.15.12.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:12:41 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][scarthgap][2.8][PATCH 1/4] fetch2: validate deb/ipk data member names Date: Sat, 6 Jun 2026 00:12:25 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:12:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19622 From: Anders Heimer The deb/ipk unpack path selects a data archive member from 'ar -t' output and then passes that member name to a shell command. Previously, any member beginning with data.tar. was selected. Only select known deb/ipk data archive member names when datafile is created. Quote the package path used in the shell command as it can come from the local fetch path. Add local fetcher regression coverage for quoted package filenames, valid compressed data members, and unsupported or unsafe data member names. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 73ae3a2447ec93df39bc66cf3d8f9b2ea1bfe3bf) Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 10 +++++--- lib/bb/tests/fetch.py | 53 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 224408de0..2f54cb86e 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -23,6 +23,7 @@ import collections import subprocess import pickle import errno +import shlex import bb.persist_data, bb.utils import bb.checksum import bb.process @@ -1567,16 +1568,19 @@ class FetchMethod(object): elif file.endswith('.deb') or file.endswith('.ipk'): output = subprocess.check_output(['ar', '-t', file], preexec_fn=subprocess_setup) datafile = None + valid_datafiles = ('data.tar', 'data.tar.gz', 'data.tar.xz', + 'data.tar.zst', 'data.tar.bz2', 'data.tar.lzma') if output: for line in output.decode().splitlines(): - if line.startswith('data.tar.'): + if line in valid_datafiles: datafile = line break else: - raise UnpackError("Unable to unpack deb/ipk package - does not contain data.tar.* file", urldata.url) + raise UnpackError("Unable to unpack deb/ipk package - does not contain supported data.tar* file", urldata.url) else: raise UnpackError("Unable to unpack deb/ipk package - could not list contents", urldata.url) - cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (file, datafile, tar_cmd, datafile, datafile) + quoted_datafile = shlex.quote(datafile) + cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (shlex.quote(file), quoted_datafile, tar_cmd, quoted_datafile, quoted_datafile) # If 'subdir' param exists, create a dir and use it as destination for unpack cmd if 'subdir' in urldata.parm: diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 3775ab0f3..5735cf8f4 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -13,6 +13,7 @@ import tempfile import collections import os import signal +import subprocess import tarfile from bb.fetch2 import URI from bb.fetch2 import FetchMethod @@ -731,6 +732,34 @@ class FetcherLocalTest(FetcherTest): bb.process.run('tar cjf archive.tar.bz2 -C dir .', cwd=self.localsrcdir) self.d.setVar("FILESPATH", self.localsrcdir) + def make_ar_package(self, package_name, data_member="data.tar"): + if not shutil.which("ar"): + self.skipTest("ar not installed") + + workdir = tempfile.mkdtemp(dir=self.tempdir) + payload = os.path.join(workdir, "payload") + with open(payload, "w") as f: + f.write("payload\n") + + data_path = os.path.join(workdir, data_member) + mode = "w:gz" if data_member.endswith(".gz") else "w" + with tarfile.open(data_path, mode) as archive: + archive.add(payload, arcname="payload") + + with open(os.path.join(workdir, "debian-binary"), "w") as f: + f.write("2.0\n") + + control = os.path.join(workdir, "control") + with open(control, "w") as f: + f.write("Package: fetch-test\nVersion: 1\nArchitecture: all\n") + with tarfile.open(os.path.join(workdir, "control.tar"), "w") as archive: + archive.add(control, arcname="control") + + package_path = os.path.join(self.localsrcdir, package_name) + subprocess.check_call(["ar", "r", package_path, "debian-binary", "control.tar", data_member], + cwd=workdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + return package_name + def fetchUnpack(self, uris): fetcher = bb.fetch.Fetch(uris, self.d) fetcher.download() @@ -800,6 +829,30 @@ class FetcherLocalTest(FetcherTest): tree = self.fetchUnpack(['file://archive.tar.bz2;subdir=bar;striplevel=1']) self.assertEqual(tree, ['bar/c', 'bar/d', 'bar/subdir/e']) + def test_local_deb_quoted_filename(self): + package = self.make_ar_package("archive$(id).deb") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_ipk_gz_data_member(self): + package = self.make_ar_package("archive.ipk", data_member="data.tar.gz") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_deb_rejects_unknown_data_member_suffix(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.foo") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + + def test_local_deb_rejects_unsafe_data_member(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.xz;id") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir, From patchwork Fri Jun 5 22:12:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89393 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1686CD6E7E for ; Fri, 5 Jun 2026 22:12:53 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5825.1780697563817122511 for ; Fri, 05 Jun 2026 15:12:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=HZng+vq5; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-45ef5146b56so2239507f8f.0 for ; Fri, 05 Jun 2026 15:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697562; x=1781302362; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nhp2j1BIrSHdsXUSHMQrtT+g+CYFJwcA3jCS85ptr00=; b=HZng+vq5KFy88jIrkm8WEHkQrCRJEe8532vkn4tLBoGCz+VX6g6p8NoiKw8QZz5Qt0 Z5yuiYyWJlfFpXGll8bfbeU21fLat5+RY+F8i1U+xlrnm2hzSkXMrzrRQGV/bP4aDepY TwoK6b0aKbXtZTh1VQUBQgjBbK1124SSknUPQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697562; x=1781302362; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=nhp2j1BIrSHdsXUSHMQrtT+g+CYFJwcA3jCS85ptr00=; b=sr2YW4DyFYAvbsCIPqq7KZNWGFNXmyN8WU4p6JvpgIx0AKGevf7xGNIVbKm072RQL2 om1BYVIkREi9TsEvIvMdjBfWhrwqpPAL3lbcKc4gN4C4qeFtliLDWUtgXBvpbTgJWbaU 48z0RRU7DyfqJa5ZfeTGIz8rOIASjzOHHjZfYOocUMRxXZbHrU5RMKld7XVmsTJCNuUu MdxjmOhRdniNYxQR0BNRoYyxC1B+uikGrV3D+s5htlCGGIXVLHRYVnxsqc5OdXhMTq5P 2hA0zVVrXovrwO6SFFajTJxM3OXcpjUpH4E/Tv/iE3o54ne5jZ36x0nPPZ6j9R86fRyN lq1A== X-Gm-Message-State: AOJu0YzqUKPGq+mpaENPa9DuZeBkFP5fzAXEYOd8eGqJalAdvcQus6eN rnCY3pF/J8slrTVXEWUYcpofzI50IM02XKtawVQ8nU8PVNlKPFB/bl5R37dJjKmQuHXMn1KOOO0 tN0BN X-Gm-Gg: Acq92OEmU+VM0nTsf7Eu9yeHXuAchO4HQ/dzkObzM278pSZiBLp118+yF4d4gS0N18H qIIKnK5OsvDZxX5LlVvFLTh3dvaS1mVx0YUEAGZXGZmosQswaxOEdm50SMdt1zAtKAlgD/AV1f2 Dsz6iw3c6xF2Q5BJDFapfn7i/F3IC1LsuhjcF52fqJ/QYIzXWYffJsTURRmMOO/izijU1OWWyp7 6QuTMcvKzhQ6k9wuQ+4kD2+Utg2wKVyAa1nYRfRwYXaO78TuoZi8/D+LiCnLjNS/4teisVhqPK4 6ihFfe70KmBCBZsRaEnjJ/2kDBZPKjpPcEniIGdkw+WnyLyVsSxpIudMxPO1cPnqNod/QOXBog1 KlraRUVG38Ac/HvnE9isffBSKJ5ax4ya+R/VQKrTf2unjanURHb7ebZ5Hwg0RWoOLl2xdiyJsIy Uw2MSppNomPdyTV7geU6kYJiVMPncbyQzZg0p/bGEJAE/lVxbzNXnzwpNaE7A5+2ChZ0FpXbRe+ E2rWED93SN1lLQc8Xy1swdkHCL9iZazCAH2WDE= X-Received: by 2002:a05:6000:2993:20b0:44f:b82f:2d18 with SMTP id ffacd0b85a97d-46032b82234mr5585325f8f.11.1780697562213; Fri, 05 Jun 2026 15:12:42 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f2dcae2sm30770393f8f.6.2026.06.05.15.12.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:12:41 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][scarthgap][2.8][PATCH 2/4] fetch2: validate striplevel parameter Date: Sat, 6 Jun 2026 00:12:26 +0200 Message-ID: <3a8937cc4b6513f9ed54fee0b0347589a892c8d7.1780697470.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:12:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19623 From: Anders Heimer The striplevel URL parameter is appended to tar_cmd, which is later run through the shell. Validate it as a decimal count before using it in the tar arguments. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 934fe718bfe29c7ec921e6b598d81ec2ebe8f7c7) [YC: Removed the striplevel="1\n" subtest case. The URL-decoding regex in decodeurl uses `.*` without `re.DOTALL`, causing literal newlines in parameters to be silently truncated during parsing.] Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 5 ++++- lib/bb/tests/fetch.py | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 2f54cb86e..7f6cf8ba9 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1520,7 +1520,10 @@ class FetchMethod(object): if unpack: tar_cmd = 'tar --extract --no-same-owner' if 'striplevel' in urldata.parm: - tar_cmd += ' --strip-components=%s' % urldata.parm['striplevel'] + striplevel = urldata.parm['striplevel'] + if not striplevel.isdigit(): + raise UnpackError("Invalid striplevel parameter: %s" % striplevel, urldata.url) + tar_cmd += ' --strip-components=%s' % striplevel if file.endswith('.tar'): cmd = '%s -f %s' % (tar_cmd, file) elif file.endswith('.tgz') or file.endswith('.tar.gz') or file.endswith('.tar.Z'): diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 5735cf8f4..37e4eb9f4 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -7,6 +7,7 @@ # import contextlib +import shutil import unittest import hashlib import tempfile @@ -853,6 +854,16 @@ class FetcherLocalTest(FetcherTest): self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def assertInvalidStriplevel(self, value): + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://archive.tar;subdir=bar;striplevel=%s' % value]) + self.assertIn("Invalid striplevel parameter", str(context.exception)) + + def test_local_striplevel_rejects_invalid_values(self): + for value in ("abc", "", "-1", "1 2"): + with self.subTest(striplevel=repr(value)): + self.assertInvalidStriplevel(value) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir, From patchwork Fri Jun 5 22:12:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89390 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8687CCD8C83 for ; Fri, 5 Jun 2026 22:12:53 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5826.1780697564771390728 for ; Fri, 05 Jun 2026 15:12:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=FSIMa5PJ; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-490b64c8311so27369205e9.3 for ; Fri, 05 Jun 2026 15:12:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697563; x=1781302363; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=60g9egT3/DS+InHaazxkLVGr0N3CVnZgWUMKI05kvow=; b=FSIMa5PJqa8udpqeLB+QObpPTzvKL411aTq6vXJejyh2QlIA8QOEpevwMJjW2YfGhJ eMEH+TboEKSPpEpkVF4a1yxE9Xt9rvrwY7J8SzXsvTBG3/lmZVam0F6RyF7YqfVBxDrP dMVYwOF73DU3C2P1ZBmzG8I8CU/0g7tL98DIw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697563; x=1781302363; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=60g9egT3/DS+InHaazxkLVGr0N3CVnZgWUMKI05kvow=; b=ge2J+bqtHptihM/Bh8aWNSzPP65QLt/9EHmpP2e7/L5yIEQXNy9lFg0vudhootZy0H w+okYWYZBoN6tb4X2zHcywwNZHINvprcNsxArsUSqs4Kkts9Gj4Em2nVqs1ZY8eG/GQX qkJquaiocjt0ficUxpCKxLs9lck4BLusbVITi686nrYBv/i+pNa1IxvHaIPekNMrX6/6 kablfx2wu/2GCLWn8K5MhdtUef3PoD2kzh2LaGSHlzz3i5qx6v0UkTRLAadv6kcnNWaG f+3gvNvOSS0NDOSuSMPTaI+ZmiCHU7erL9t10DB+5s6glpIJhMm6OWH4Pe2oERwC76ba iY3Q== X-Gm-Message-State: AOJu0YwgjeiqH5rgsZwg3rClMQiXPpxVD2gQXVuUxIiL5hykg9HkTR2g WoiuI1JpyT8YhdmwwSZJin5SFS9Zx6QgZ1ae+vY4v0mhmCo6lEDHAntdoa3wyrlnLV4ZYRkywjx UJDPC X-Gm-Gg: Acq92OEOLA7+9oFDa/4+kn9PNCxtziFVH60WPxQW0wCEUnnCzV58d0J7l0L5gZlTE5E G+sa4lk/dSjSdHCz3MmnVBZ1pHWmjBcwgbLoNaKF7YXDKFQlSobaJsa3vjKi+2PilalFtSFcrQp 2uUmo6SfLTppApQz/r9yrZXxFfV2YQtqtCHCyVqKYs+lk20wYya5aosfSfVFSjCCUmw1JXojkT6 PwM/bxJxgaU2hw0gmLnVGQhCk2cKtn8C3yLpvfB935YZmYANixdnY7URL1xOgYqW1rnENW+rUYa HuC0RcGwppxthkBmQOYDCMGtSoCtZxD1fQ1L1praQ6QR8peX5DomIwHkbfCZPxcaPxhOPqrJawK BiroLcrvEWHEU0L99czAPy3lJFMVye/7tq2Tua4TFlbmiYPRapnt9ue869ZoVczCzB3BHiZn7Oe yxQ13bY13z3/0XIKknQhCoOdILMSZ9LDJmXHTZbe1olPxm3YSwWCFBGoXwKj6jO5vmuhKv3Q0Oe YgvMfRW7slL8qcmyv6b47ztptJoxMmmIG3fNd0= X-Received: by 2002:a5d:5270:0:b0:446:96b1:f53 with SMTP id ffacd0b85a97d-4603051261dmr6909114f8f.26.1780697563096; Fri, 05 Jun 2026 15:12:43 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f2dcae2sm30770393f8f.6.2026.06.05.15.12.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:12:42 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][scarthgap][2.8][PATCH 3/4] fetch2/git: quote shallow extra ref arguments Date: Sat, 6 Jun 2026 00:12:27 +0200 Message-ID: <6d3f8bd4ddc955b49eaa124e0724ea589da30646.1780697470.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:12:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19624 From: Anders Heimer BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs advertised by the remote are later passed to git fetch and update-ref while creating shallow tarballs. Quote the generated command arguments and pass the fetched ref after -- so shell metacharacters and option-like ref names are not interpreted as command syntax or git fetch options. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit e9a06f79d9ec767c9d95470be78b006d6fd0d59c) [YC: Only the quote part of the master patch applies. The "--" part does not. This part is handled by bin/git-make-shallow which only pass arguments to git rev-list and rev-parse through arrays] Signed-off-by: Yoann Congal --- lib/bb/fetch2/git.py | 2 +- lib/bb/tests/fetch.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py index a3b1a2ada..d8e31284e 100644 --- a/lib/bb/fetch2/git.py +++ b/lib/bb/fetch2/git.py @@ -602,7 +602,7 @@ class Git(FetchMethod): shallow_cmd = [self.make_shallow_path, '-s'] for b in shallow_branches: shallow_cmd.append('-r') - shallow_cmd.append(b) + shallow_cmd.append(shlex.quote(b)) shallow_cmd.extend(shallow_revisions) runfetchcmd(subprocess.list2cmdline(shallow_cmd), d, workdir=dest) diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 37e4eb9f4..2d95ef87d 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -2206,6 +2206,36 @@ class GitShallowTest(FetcherTest): self.assertRefs(['master', 'origin/master', 'v1.0']) self.assertRevCount(1) + def test_shallow_extra_refs_wildcard_shell_quoted(self): + self.add_empty_file('a') + marker = os.path.join(self.tempdir, 'ref-command-marker') + ref = 'refs/tags/poc;touch${IFS}%s' % marker + self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir) + + self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*') + self.fetch_shallow() + + self.assertFalse(os.path.exists(marker)) + self.assertRefs(['master', 'origin/master', ref]) + + def test_shallow_extra_refs_wildcard_fetch_options(self): + self.add_empty_file('a') + marker = os.path.join(self.tempdir, 'ref-option-marker') + helper = os.path.join(self.tempdir, 'upload-pack-helper') + with open(helper, 'w') as f: + f.write('#!/bin/sh\n') + f.write('touch "%s"\n' % marker) + f.write('exec git-upload-pack "$@"\n') + os.chmod(helper, 0o755) + ref = 'refs/tags/--upload-pack=%s' % helper + self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir) + + self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*') + self.fetch_shallow() + + self.assertFalse(os.path.exists(marker)) + self.assertRefs(['master', 'origin/master', ref]) + def test_shallow_missing_extra_refs(self): self.add_empty_file('a') self.add_empty_file('b') From patchwork Fri Jun 5 22:12:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 89392 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85AAACD6E6E for ; Fri, 5 Jun 2026 22:12:53 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5827.1780697565976577450 for ; Fri, 05 Jun 2026 15:12:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=1HaWTaTh; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-490b2b037d2so21031255e9.3 for ; Fri, 05 Jun 2026 15:12:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1780697564; x=1781302364; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=225I9pj2nw3C5oocY+5Wn1sz1l8uiB1VdC+nUoZGBsA=; b=1HaWTaThYCFWDNWaFsSny+C9UUaULwSoW/ZNI1HUsrkV5UkxEcRBTikgJDiTjPNzru 2P6c23OctO/8aqAXec9/6hflZY7YxiEmmNhsIEuvgCVwQt6yFwR1yUXvKvHvBQ6YhJnI yfvoJZNNuxKtF5vb0fFGQoI3D4JFgs/y/PZuY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780697564; x=1781302364; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=225I9pj2nw3C5oocY+5Wn1sz1l8uiB1VdC+nUoZGBsA=; b=meJor57TsJ+BqR4gPeBkM78+ylsbPJqXo8/itao1WQ+tGNrvG8CTigESgPZcxQrxNO z/EQczDfzRSu/tVLdPdr8B/BtXaDSfZjY+RUoeO3SnWHarSK5nm7RWEgs12Ma/qZSDCx CkkvM+0fwpfcIHu353X3cjVWof6bnQSMvzHln9OBcGIxIp7Hr/E/XAnZ18pDQYNneIIa 48/8X4Hz2tKFGU+flzL0VvtqBXTCO9PX0zx69Hx0qXyFNcYa35oPzbgU5hqu8wMASOnf 3j2hp47Uxp88cJ1KV2bCNKKNV7KuZaCyBwLReDNFt48vmYr7oiNaWK31Vfdtq4wLmTki owUg== X-Gm-Message-State: AOJu0YxoqH/t8CnvHu9dBDXyJrsfqH8fZ4QfExN8g4C4b7ZUMbdG9YXA Fl/5PToQNHEYZnkrssfyLOapni74D5T4rbccZwxXIVR2Yq7dLtC6JeFHxQYxWi9hXNxX2B2cbPc A4fDe X-Gm-Gg: Acq92OG1+UgxOjqSOdjz8r75Ho3FsCY1atfoenFeo6n8na5CDjDb700ciJKwyN6yO8G 2muUjBfn8Ze5w4/SrkozA67GSJ+LpOmm2Sd+T/kKRDx7MYI2iZSBvLKDkVgpya7ihNqjTW92E3A YPXlCESThVQyvCoEdziAXDQhcNGdQJvgsORlSq3/lKKDoA32zBoG7YujIqcSYIGg3eQXgwXWqlP aXfCKOn2eKP5sWesGe8NOjHcx8Xo2PF3uHWxQ7meutMo2sg5Ta5nPqtEJayYTtPRPwiGKOzZgsL aG1RDs7KepZaSwnROekSn94tyI89Mj6X/DpxROkbm2duyJaQSnP/uJuGfz9BFlETbvRlyJsttOC AUou1ug4PqcMbRFjEH4UPV53TGR/cJ9YFl27ckIWpvXRejoHDK7XII6a9fhHh3XjQ4uMxBWXD4E vbL6HNlRMCgwmreVslq10pXXt95p9gXuUfBt6yynuXxtkcid3zfGnl932E0KwubMAbSCdcrkw5t oxXYUkn1ioP31x21fQ4szbLoKY40daKBMTLe50sFlMRpmLYRw== X-Received: by 2002:a05:600c:a117:b0:490:c2a3:3302 with SMTP id 5b1f17b1804b1-490c2a3336dmr59694645e9.35.1780697564319; Fri, 05 Jun 2026 15:12:44 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00b3e1ccc1be2b2798.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:b3e1:ccc1:be2b:2798]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f2dcae2sm30770393f8f.6.2026.06.05.15.12.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 15:12:43 -0700 (PDT) From: Yoann Congal To: bitbake-devel@lists.openembedded.org Cc: Richard Purdie Subject: [bitbake][scarthgap][2.8][PATCH 4/4] fetch2: Unpack RPMs with --no-absolute-filenames Date: Sat, 6 Jun 2026 00:12:28 +0200 Message-ID: <37beb06ba9329cd16976273efbb341f781d4e749.1780697470.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 Jun 2026 22:12:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19625 From: Anders Heimer Use cpio --no-absolute-filenames when unpacking RPM and SRPM archives so absolute paths and parent-directory components in cpio member names are extracted relative to the intended unpack directory. Signed-off-by: Anders Heimer Signed-off-by: Richard Purdie (cherry picked from commit 1b1a71586aa93678c1d9ca40ef2c6fa518f89356) Signed-off-by: Yoann Congal --- lib/bb/fetch2/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 7f6cf8ba9..f2835397a 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1563,11 +1563,11 @@ class FetchMethod(object): elif file.endswith('.rpm') or file.endswith('.srpm'): if 'extract' in urldata.parm: unpack_file = urldata.parm.get('extract') - cmd = 'rpm2cpio.sh %s | cpio -id %s' % (file, unpack_file) + cmd = 'rpm2cpio.sh %s | cpio --no-absolute-filenames -id %s' % (file, unpack_file) iterate = True iterate_file = unpack_file else: - cmd = 'rpm2cpio.sh %s | cpio -id' % (file) + cmd = 'rpm2cpio.sh %s | cpio --no-absolute-filenames -id' % (file) elif file.endswith('.deb') or file.endswith('.ipk'): output = subprocess.check_output(['ar', '-t', file], preexec_fn=subprocess_setup) datafile = None