-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cp 1.15 #82384
Cp 1.15 #82384
Conversation
/assign @M00nF1sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixed the gofmt/vet issues |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/priority important-longterm
/lgtm |
Valid question, but IMO we shouldn't worry about this case. |
New changes are detected. LGTM label has been removed. |
Fixed comment typo. Reapplying lgtm. |
If we want to minimize the changes, I can also add the symlink restrictions back in, but still create the symlinks at the end. |
/assign @Bubblemelon |
/retest |
1 similar comment
/retest |
…384-upstream-release-1.13 Automated cherry pick of #82384: Reorder symlinks to prevent path escapes
…384-upstream-release-1.14 Automated cherry pick of #82384: Reorder symlinks to prevent path escapes
What type of PR is this?
/kind bug
What this PR does / why we need it:
Fix the
kubectl cp
untarr symlink logic. Unpacking the symlinks after all the regular files have been unpacked guarantees that a file can't be written through a symlink. Furthermore, we still callmkDirAll
for the symlink names, so symlink chaining is prevented as well.This greatly simplifies the symlink resolution logic, and is robust to corner cases we have missed in the past.
Special notes for your reviewer:
Please review carefully. This is changing a bunch of logic that we've had a lot of issues with in the past.
Does this PR introduce a user-facing change?:
/sig cli
/milestone v1.15
/assign @soltysh