git: 66fa9f7ee8b0 - main - sysutils/iocage: Fix fetch release command

From: Michael Gmelin <grembo_at_FreeBSD.org>
Date: Sun, 08 Dec 2024 17:26:37 UTC
The branch main has been updated by grembo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=66fa9f7ee8b077a0db5ab1c632e6e332d01f64f8

commit 66fa9f7ee8b077a0db5ab1c632e6e332d01f64f8
Author:     Michael Gmelin <grembo@FreeBSD.org>
AuthorDate: 2024-12-08 17:18:49 +0000
Commit:     Michael Gmelin <grembo@FreeBSD.org>
CommitDate: 2024-12-08 17:18:49 +0000

    sysutils/iocage: Fix fetch release command
    
    See also: https://github.com/freebsd/iocage/pull/55
---
 sysutils/iocage/Makefile                           |  2 +-
 .../iocage/files/patch-iocage__lib_ioc__fetch.py   | 33 +++++++++++++++++-----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/sysutils/iocage/Makefile b/sysutils/iocage/Makefile
index a6d03c6a02cb..a851cb6c04e8 100644
--- a/sysutils/iocage/Makefile
+++ b/sysutils/iocage/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	iocage
 PORTVERSION=	1.8
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
diff --git a/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
index 73d8b6e58068..d5697b9205af 100644
--- a/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
+++ b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
@@ -1,22 +1,41 @@
 --- iocage_lib/ioc_fetch.py.orig	2024-09-20 06:45:27 UTC
 +++ iocage_lib/ioc_fetch.py
-@@ -47,7 +47,10 @@ import iocage_lib.ioc_start
+@@ -47,6 +47,29 @@ import iocage_lib.ioc_start
  from iocage_lib.pools import Pool
  from iocage_lib.dataset import Dataset
  
-+# deliberately crash if tarfile doesn't have required filter
-+tarfile.tar_filter
++# taken from tarfile.tar_filter (and _get_filtered_attrs)
++# basically the same, but **without**:
++# - Clear high mode bits (setuid, setgid, sticky) and
++#   group/other write bits (S_IWGRP | S_IWOTH).
++def untar_release_filter(member, dest_path):
++    new_attrs = {}
++    name = member.name
++    dest_path = os.path.realpath(dest_path)
++    # Strip leading / (tar's directory separator) from filenames.
++    # Include os.sep (target OS directory separator) as well.
++    if name.startswith(('/', os.sep)):
++        name = new_attrs['name'] = member.path.lstrip('/' + os.sep)
++    if os.path.isabs(name):
++        # Path is absolute even after stripping.
++        # For example, 'C:/foo' on Windows.
++        raise tarfile.AbsolutePathError(member)
++    # Ensure we stay in the destination
++    target_path = os.path.realpath(os.path.join(dest_path, name))
++    if os.path.commonpath([target_path, dest_path]) != dest_path:
++        raise tarfile.OutsideDestinationError(member, target_path)
++    if new_attrs:
++        return member.replace(**new_attrs, deep=False)
++    return member
  
-+
  class IOCFetch:
  
-     """Fetch a RELEASE for use as a jail base."""
-@@ -817,7 +820,7 @@ class IOCFetch:
+@@ -817,7 +840,7 @@ class IOCFetch:
              # removing them first.
              member = self.__fetch_extract_remove__(f)
              member = self.__fetch_check_members__(member)
 -            f.extractall(dest, members=member)
-+            f.extractall(dest, members=member, filter='tar')
++            f.extractall(dest, members=member, filter=untar_release_filter)
  
      def fetch_update(self, cli=False, uuid=None):
          """This calls 'freebsd-update' to update the fetched RELEASE."""