commit aec48c6cc2cd132e59d0286d87f2b3377d62eb93
from: Omar Polo <op@omarpolo.com>
via: Thomas Adam <thomas@xteddy.org>
date: Tue Jul 26 09:35:53 2022 UTC

got patch: error if patchfile isn't a regular file

`got patch' cannot read patches from non-regular files for obvious
reasons.  However, it could crash in sendmsg because pledge doesn't
allow to send file descriptors referring to directories.  So, restrict
`got patch' to operate on regular files only and fail otherwise.

This still allows to read patches from symlinks since they're resolved
at open(2) time and the file type check is performed after.

There may be a marginal usefullness in reading patches from fifos, but
the current code doesn't allow that anyway since got-read-patch needs a
seekable file descriptor anyway.

ok tracey@

commit - e4a6dbc6cd4d9ac4f616b16388061ef0f8fec303
commit + aec48c6cc2cd132e59d0286d87f2b3377d62eb93
blob - 0d75dac8cda60fb9240db06ad390b363b234b780
blob + 216f9c3eb81dab0bb0853b2b2ef04a1ef07da2d1
--- got/got.c
+++ got/got.c
@@ -7941,6 +7941,7 @@ cmd_patch(int argc, char *argv[])
 	const struct got_error *error = NULL, *close_error = NULL;
 	struct got_worktree *worktree = NULL;
 	struct got_repository *repo = NULL;
+	struct stat sb;
 	const char *errstr;
 	char *cwd = NULL;
 	int ch, nop = 0, strip = -1, reverse = 0;
@@ -7980,6 +7981,14 @@ cmd_patch(int argc, char *argv[])
 			error = got_error_from_errno2("open", argv[0]);
 			return error;
 		}
+		if (fstat(patchfd, &sb) == -1) {
+			error = got_error_from_errno2("fstat", argv[0]);
+			goto done;
+		}
+		if (!S_ISREG(sb.st_mode)) {
+			error = got_error_path(argv[0], GOT_ERR_BAD_FILETYPE);
+			goto done;
+		}
 	} else
 		usage_patch();