However, I don't know whether the obvious way to fix that would introduce new security problems.
I suspect that the generate_archive patch has a bug: zf.writestr(zi,
path) sets the file contents of the symlink in the zip (i.e. the
filename it points to) to path (the filename of the original symlink,
not the filename it points to). Hence, it creates a symlink to itself,
not a symlink to whatever the original symlink pointed to. The included
tests don't notice because they don't check where the symlink points to.
- Bug#1091383: pagure: security issues Rebecca N. Palmer
- Bug#1091383: pagure: security issues Rebecca N. Palmer
