Hello community, here is the log from the commit of package ghc-zip-archive for openSUSE:Factory checked in at 2019-04-28 20:14:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-zip-archive (Old) and /work/SRC/openSUSE:Factory/.ghc-zip-archive.new.5536 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ghc-zip-archive" Sun Apr 28 20:14:02 2019 rev:14 rq:698565 version:0.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-zip-archive/ghc-zip-archive.changes 2018-12-10 12:29:51.914435394 +0100 +++ /work/SRC/openSUSE:Factory/.ghc-zip-archive.new.5536/ghc-zip-archive.changes 2019-04-28 20:14:05.958394394 +0200 @@ -1,0 +2,14 @@ +Wed Apr 24 02:02:17 UTC 2019 - psimons@suse.com + +- Update zip-archive to version 0.4.1. + zip-archive 0.4.1 + + * writEntry behavior change: Improve raising of UnsafePath error (#55). + Previously we raised this error spuriously when archives were unpacked + outside the working directory. Now we raise it if eRelativePath contains + ".." as a path component, or eRelativePath path is an absolute path and + there is no separate destination directory. (Note that `/foo/bar` is fine + as a path as long as a destination directory, e.g. `/usr/local`, is + specified.) + +------------------------------------------------------------------- Old: ---- zip-archive-0.4.tar.gz New: ---- zip-archive-0.4.1.tar.gz zip-archive.cabal ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-zip-archive.spec ++++++ --- /var/tmp/diff_new_pack.dyKPzk/_old 2019-04-28 20:14:07.886393197 +0200 +++ /var/tmp/diff_new_pack.dyKPzk/_new 2019-04-28 20:14:07.886393197 +0200 @@ -1,7 +1,7 @@ # # spec file for package ghc-zip-archive # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,13 +19,14 @@ %global pkg_name zip-archive %bcond_with tests Name: ghc-%{pkg_name} -Version: 0.4 +Version: 0.4.1 Release: 0 Summary: Library for creating and modifying zip archives License: BSD-3-Clause Group: Development/Libraries/Haskell URL: https://hackage.haskell.org/package/%{pkg_name} Source0: https://hackage.haskell.org/package/%{pkg_name}-%{version}/%{pkg_name}-%{version}.tar.gz +Source1: https://hackage.haskell.org/package/%{pkg_name}-%{version}/revision/1.cabal#/%{pkg_name}.cabal BuildRequires: ghc-Cabal-devel BuildRequires: ghc-array-devel BuildRequires: ghc-binary-devel @@ -82,6 +83,7 @@ %prep %setup -q -n %{pkg_name}-%{version} +cp -p %{SOURCE1} %{pkg_name}.cabal %build %ghc_lib_build ++++++ zip-archive-0.4.tar.gz -> zip-archive-0.4.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zip-archive-0.4/changelog new/zip-archive-0.4.1/changelog --- old/zip-archive-0.4/changelog 2018-12-04 01:24:06.000000000 +0100 +++ new/zip-archive-0.4.1/changelog 2019-04-23 08:10:30.000000000 +0200 @@ -1,3 +1,13 @@ +zip-archive 0.4.1 + + * writEntry behavior change: Improve raising of UnsafePath error (#55). + Previously we raised this error spuriously when archives were unpacked + outside the working directory. Now we raise it if eRelativePath contains + ".." as a path component, or eRelativePath path is an absolute path and + there is no separate destination directory. (Note that `/foo/bar` is fine + as a path as long as a destination directory, e.g. `/usr/local`, is + specified.) + zip-archive 0.4 * Implement read-only support for PKWARE encryption (Sergii Rudchenko). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zip-archive-0.4/src/Codec/Archive/Zip.hs new/zip-archive-0.4.1/src/Codec/Archive/Zip.hs --- old/zip-archive-0.4/src/Codec/Archive/Zip.hs 2018-12-04 01:24:06.000000000 +0100 +++ new/zip-archive-0.4.1/src/Codec/Archive/Zip.hs 2019-04-23 08:10:30.000000000 +0200 @@ -77,15 +77,14 @@ import Data.Binary import Data.Binary.Get import Data.Binary.Put -import Data.List (nub, find, intercalate, isPrefixOf, isInfixOf) +import Data.List (nub, find, intercalate) import Data.Data (Data) import Data.Typeable (Typeable) import Text.Printf import System.FilePath import System.Directory (doesDirectoryExist, getDirectoryContents, - createDirectoryIfMissing, getModificationTime, getCurrentDirectory, - makeAbsolute) + createDirectoryIfMissing, getModificationTime) import Control.Monad ( when, unless, zipWithM_ ) import qualified Control.Exception as E import System.IO ( stderr, hPutStrLn ) @@ -350,14 +349,16 @@ writeEntry opts entry = do when (isEncryptedEntry entry) $ E.throwIO $ CannotWriteEncryptedEntry (eRelativePath entry) - let path = case [d | OptDestination d <- opts] of - (x:_) -> x > eRelativePath entry - _ -> eRelativePath entry - absPath <- makeAbsolute path - curDir <- getCurrentDirectory - let isUnsafePath = ".." `isInfixOf` absPath || - not (curDir `isPrefixOf` absPath) - when isUnsafePath $ E.throwIO $ UnsafePath path + let relpath = eRelativePath entry + let isUnsafePath = ".." `elem` splitDirectories relpath + when isUnsafePath $ + E.throwIO $ UnsafePath relpath + path <- case [d | OptDestination d <- opts] of + (x:_) -> return (x > relpath) + _ | isAbsolute relpath + -> E.throwIO $ UnsafePath relpath + | otherwise + -> return relpath -- create directories if needed let dir = takeDirectory path exists <- doesDirectoryExist dir diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zip-archive-0.4/zip-archive.cabal new/zip-archive-0.4.1/zip-archive.cabal --- old/zip-archive-0.4/zip-archive.cabal 2018-12-04 01:24:06.000000000 +0100 +++ new/zip-archive-0.4.1/zip-archive.cabal 2019-04-23 08:10:30.000000000 +0200 @@ -1,5 +1,5 @@ Name: zip-archive -Version: 0.4 +Version: 0.4.1 Cabal-Version: 2.0 Build-type: Simple Synopsis: Library for creating and modifying zip archives. ++++++ zip-archive.cabal ++++++ Name: zip-archive Version: 0.4.1 x-revision: 1 Cabal-Version: 2.0 Build-type: Simple Synopsis: Library for creating and modifying zip archives. Description: The zip-archive library provides functions for creating, modifying, and extracting files from zip archives. The zip archive format is documented in http://www.pkware.com/documents/casestudies/APPNOTE.TXT. . Certain simplifying assumptions are made about the zip archives: in particular, there is no support for strong encryption, zip files that span multiple disks, ZIP64, OS-specific file attributes, or compression methods other than Deflate. However, the library should be able to read the most common zip archives, and the archives it produces should be readable by all standard unzip programs. . Archives are built and extracted in memory, so manipulating large zip files will consume a lot of memory. If you work with large zip files or need features not supported by this library, a better choice may be <http://hackage.haskell.org/package/zip zip>, which uses a memory-efficient streaming approach. However, zip can only read and write archives inside instances of MonadIO, so zip-archive is a better choice if you want to manipulate zip archives in "pure" contexts. . As an example of the use of the library, a standalone zip archiver and extracter is provided in the source distribution. Category: Codec Tested-with: GHC == 7.8.2, GHC == 7.10.3, GHC == 8.0.2, GHC == 8.2.2, GHC == 8.4.3, GHC == 8.6.1 License: BSD3 License-file: LICENSE Homepage: http://github.com/jgm/zip-archive Author: John MacFarlane Maintainer: jgm@berkeley.edu Extra-Source-Files: changelog README.markdown tests/test4.zip tests/test4/a.txt tests/test4/b.bin "tests/test4/c/with spaces.txt" tests/zip_with_symlinks.zip tests/zip_with_password.zip tests/zip_with_evil_path.zip Source-repository head type: git location: git://github.com/jgm/zip-archive.git flag executable Description: Build the Zip executable. Default: False Library Build-depends: base >= 4.5 && < 5, pretty, containers, binary >= 0.6, zlib, filepath, bytestring >= 0.10.0, array, mtl, text >= 0.11, digest >= 0.0.0.1, directory >= 1.2.0, time Exposed-modules: Codec.Archive.Zip Default-Language: Haskell98 Hs-Source-Dirs: src Ghc-Options: -Wall if os(windows) cpp-options: -D_WINDOWS else Build-depends: unix Executable zip-archive if flag(executable) Buildable: True else Buildable: False Main-is: Main.hs Hs-Source-Dirs: . Build-Depends: base >= 4.2 && < 5, directory >= 1.1, bytestring >= 0.9.0, zip-archive Other-Modules: Paths_zip_archive Autogen-Modules: Paths_zip_archive Ghc-Options: -Wall Default-Language: Haskell98 Test-Suite test-zip-archive Type: exitcode-stdio-1.0 Main-Is: test-zip-archive.hs Hs-Source-Dirs: tests Build-Depends: base >= 4.2 && < 5, directory >= 1.3, bytestring >= 0.9.0, process, time, HUnit, zip-archive, temporary, filepath Default-Language: Haskell98 Ghc-Options: -Wall if os(windows) cpp-options: -D_WINDOWS else Build-depends: unix build-tools: unzip