Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Don't follow symlinks when adding files to tarballs
Path.wildcard("**") follows symlinks when collecting all of the files under a path. This can lead to files in the tarball containing paths with the symlink in them. If the directory corresponding to the symlink hasn't been created, then the extraction will fail. As an example, the "create with files" unit test now contains a symlink in a directory. Without the fix, it can fail like this: ``` 1) test create with files (Mix.Tasks.Hex.BuildTest) test/mix/tasks/hex.build_test.exs:42 ** (MatchError) no match of right hand side value: {:error, :eexist} code: in_tmp(fn -> stacktrace: test/mix/tasks/hex.build_test.exs:13: Mix.Tasks.Hex.BuildTest.extract/2 test/mix/tasks/hex.build_test.exs:69: anonymous fn/0 in Mix.Tasks.Hex.BuildTest."test create with files"/1 (elixir) lib/file.ex:1443: File.cd!/2 test/mix/tasks/hex.build_test.exs:45: (test) ``` Untaring the `contents.tar.gz` shows the problem. ```sh $ tar tfz contents.tar.gz myfile.txt executable.sh dir/.dotfile dir/a_link_to_dir2 dir/a_link_to_dir2/test.txt dir/dir2/test.txt empty_dir/ link_dir ``` `dir/a_link_to_dir2` is created as a symlink to `dir/dir2`. The `test.txt` file is then extracted to it. This fails since `dir2` hasn't been created yet so `a_link_to_dir2` is dangling. It's also not desirable that `test.txt` was included twice. After the fix, the `contents.tar.gz` looks like this: ```sh $ tar tfz contents.tar.gz myfile.txt executable.sh dir/a_link_to_dir2 dir/dir2/test.txt dir/.dotfile empty_dir/ link_dir ``` Fixes hexpm#631.
- Loading branch information