Support for patches that add or remove files

[GoogleCodeExporter]

I noticed that patch.py does not support patches that add or remove files.
Following patch against v245 adds support for this.

Original issue reported on code.google.com by jeroen.d...@gmail.com on 12 Dec 2014 at 4:25

Attachments:

• patch-support-new-files-20141212.diff

[GoogleCodeExporter]

Very nice! would you mind adding a few tests to your patch?

Original comment by pombreda...@gmail.com on 12 Dec 2014 at 5:39

[GoogleCodeExporter]

Hi, this update contains the support for new files and deleting of files and 
also has a testcase for it. 

Original comment by jeroen.d...@gmail.com on 14 Dec 2014 at 6:13

Attachments:

• patch-support-new-files-20141214.diff

[ghost]

Hello. I was wondering if there was any timescale for applying and making a release with the create/remove functionality. I'd love to use patch.py (just testing it out for the first time today), and this is a blocker. Is there anything missing in the last patch attached here which is lacking/missing which you need a hand with?

Kind regards, Roger

[techtonik]

@rleigh-dundee hi, glad you find it useful. The last patch lacks a proper security research:

1. that created files do not fall outside of scope of patch local directory
2. that API still allows to use patches with absolute paths if people really need them

Patching existing files is already a danger, but creating them opens several new attack vectors. I am not getting time for it, because I am actively looking for a solution to refill my living cost funds, and so far no proposal included the work on patch.py

Actionable items include:

1. review that filename normalization function is secure https://github.com/techtonik/python-patch/blob/e659ebd079157418e13ba36a64cfd90bb21d62e3/patch.py#L683
2. write missing tests for it
3. run it against existing test suites for filename sanitization (and find those suites)