Skip to content

uucore: Disallow slashes in determine_backup_suffix#11149

Merged
sylvestre merged 2 commits intouutils:mainfrom
Zellic:backupcontrol-no-path-traversal
Feb 28, 2026
Merged

uucore: Disallow slashes in determine_backup_suffix#11149
sylvestre merged 2 commits intouutils:mainfrom
Zellic:backupcontrol-no-path-traversal

Conversation

@aweinstock314
Copy link
Contributor

@aweinstock314 aweinstock314 commented Feb 27, 2026
edited by sylvestre
Loading

Comparative output from GNU ln and uu ln prior to the fix:

root@b082d601e194:/tmp# ln --version
ln (GNU coreutils) 9.7
Packaged by Debian (9.7-3)
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Parker and David MacKenzie.
root@b082d601e194:/tmp# touch a b
root@b082d601e194:/tmp# mkdir b_
root@b082d601e194:/tmp# SIMPLE_BACKUP_SUFFIX=_/../c ln -b -s a b
root@b082d601e194:/tmp# ls -l
total 4
-rw-r--r-- 1 root root    0 Feb 25 23:54 a
lrwxrwxrwx 1 root root    1 Feb 25 23:55 b -> a
drwxr-xr-x 2 root root 4096 Feb 25 23:54 b_
-rw-r--r-- 1 root root    0 Feb 25 23:54 b~

root@03081849be59:/tmp# ln --version
ln (uutils coreutils) 0.6.0
root@03081849be59:/tmp# touch a b
root@03081849be59:/tmp# mkdir b_
root@03081849be59:/tmp# SIMPLE_BACKUP_SUFFIX=_/../c ln -b -s a b
root@03081849be59:/tmp# ls -l
total 4
-rw-r--r-- 1 root root    0 Feb 25 23:53 a
lrwxrwxrwx 1 root root    1 Feb 25 23:54 b -> a
drwxr-xr-x 2 root root 4096 Feb 25 23:53 b_
-rw-r--r-- 1 root root    0 Feb 25 23:53 c

@github-actions
Copy link

github-actions bot commented Feb 27, 2026

GNU testsuite comparison:

Skipping an intermittent issue tests/tail/inotify-dir-recreate (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/printf/printf-surprise is now being skipped but was previously passing.
Congrats! The gnu test tests/tail/tail-n0f is now passing!

@codspeed-hq
Copy link

codspeed-hq bot commented Feb 27, 2026

Merging this PR will improve performance by 5.76%

⚡ 1 improved benchmark
✅ 293 untouched benchmarks
⏩ 42 skipped benchmarks1

Performance Changes

Mode Benchmark BASE HEAD Efficiency
Simulation shuf_input_range[1000000] 89.7 ms 84.8 ms +5.76%

Comparing Zellic:backupcontrol-no-path-traversal (ae6ecb1) with main (a611f98)

Open in CodSpeed

Footnotes

  1. 42 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@sylvestre sylvestre merged commit 313c546 into uutils:main Feb 28, 2026
159 checks passed
sylvestre added a commit to sylvestre/coreutils-1 that referenced this pull request Feb 28, 2026
@sylvestre
test: ln: Verify backup suffix path traversal prevention
614cee8 
missing test detected thanks to:
uutils/coreutils#11149

* tests/ln/backup-suffix-traversal.sh: add a test
sylvestre added a commit to sylvestre/coreutils-1 that referenced this pull request Feb 28, 2026
@sylvestre
test: ln: Verify backup suffix path traversal prevention
68e7e97 
missing test detected thanks to:
uutils/coreutils#11149

* tests/ln/backup-suffix-traversal.sh: add a test
@sylvestre sylvestre mentioned this pull request Feb 28, 2026
Closed
hubot pushed a commit to coreutils/coreutils that referenced this pull request Feb 28, 2026
@sylvestre @pixelb
test: ln: verify backup suffix path traversal prevention
a9808f2 
missing test detected thanks to:
uutils/coreutils#11149

* tests/ln/backup-suffix-traversal.sh: Add a test.
#208
@BrewTestBot BrewTestBot mentioned this pull request Mar 8, 2026
Merged
1 task
@moonfruit moonfruit mentioned this pull request Mar 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aweinstock314 @sylvestre