Eric Sunshine <sunshine@xxxxxxxxxxxxxx> 于2021年3月21日周日 下午12:05写道: > > On Sat, Mar 20, 2021 at 10:56 AM ZheNing Hu via GitGitGadget > <gitgitgadget@xxxxxxxxx> wrote: > > diff --git a/Documentation/git-format-patch.txt b/Documentation/git-format-patch.txt > > @@ -221,6 +221,11 @@ populated with placeholder text. > > + `<n>` may be a non-integer number. E.g. `--reroll-count=4.4` > > + may produce `v4.4-0001-add-makefile.patch` file that has > > + "Subject: [PATCH v4.4 1/20] Add makefile" in it. > > + `--reroll-count=4rev2` may produce `v4rev2-0001-add-makefile.patch` > > + file that has "Subject: [PATCH v4rev2 1/20] Add makefile" in it. > > This new example raises the question about what happens if the > argument to --reroll-count contains characters which don't belong in > pathnames. For instance, what happens if `--reroll-count=1/2` is > specified? Most likely, it will fail trying to write the > "v1/2-whatever.patch" file to a nonexistent directory named "v1". > > > diff --git a/log-tree.c b/log-tree.c > > @@ -369,8 +369,8 @@ void fmt_output_subject(struct strbuf *filename, > > + if (info->reroll_count) > > + strbuf_addf(filename, "v%s-", info->reroll_count); > > strbuf_addf(filename, "%04d-%s", nr, subject); > > To protect against that problem, you may need to call > format_sanitized_subject() manually after formatting "v%s-". (I'm just > looking at this code for the first time, so I could be hopelessly > wrong. There may be a better way to fix it.) Hi, Eric, This is a kind of "injection" problem, thank you for your discovery and solution method.
