tests/zgrep-abuse

   1 #!/bin/sh
   2 # Show how zgrep applied to a crafted file name may overwrite
   3 # a selected file with chosen content.  Fixed in gzip-1.12.
   4
   5 # Copyright (C) 2022-2025 Free Software Foundation, Inc.
   6
   7 # This program is free software: you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation, either version 3 of the License, or
  10 # (at your option) any later version.
  11
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19 # limit so don't run it by default.
  20
  21 . "${srcdir=.}/init.sh"; path_prepend_ ..
  22
  23 : > z || framework_failure_
  24 echo test |gzip > 'z|
  25 p
  26 1s|.*|chosen-content|
  27 1w hacked
  28 etouch .\x2fhacked2
  29 d
  30 #
  31 #' || framework_failure_
  32
  33 fail=0
  34
  35 zgrep test z* > /dev/null
  36
  37 # Before the fix, each of these would be created.
  38 test -f hacked && fail=1
  39 test -f hacked2 && fail=1
  40
  41 Exit $fail