commit 595228385f8c74590756ff446d5b84aad0ebfda7
from: Omar Polo <op@omarpolo.com>
date: Mon Jul 25 18:11:04 2022 UTC

got patch: error if patchfile isn't a regular file

`got patch' cannot read patches from non-regular files for obvious
reasons.  However, it could crash in sendmsg because pledge doesn't
allow to send file descriptors referring to directories.  So, restrict
`got patch' to operate on regular files only and fail otherwise.

This still allows to read patches from symlinks since they're resolved
at open(2) time and the file type check is performed after.

There may be a marginal usefullness in reading patches from fifos, but
the current code doesn't allow that anyway since got-read-patch needs a
seekable file descriptor anyway.

ok tracey@

commit - 04aed1557bf2e67bfef8d3a991fd54526142c8a8
commit + 595228385f8c74590756ff446d5b84aad0ebfda7
blob - 426fe05030db9048691647f7a8580d916d95ab60
blob + df883fd1dcb28651677ef268c491f878e506e7fe
--- got/got.c
+++ got/got.c
@@ -7941,6 +7941,7 @@ cmd_patch(int argc, char *argv[])
 	const struct got_error *error = NULL, *close_error = NULL;
 	struct got_worktree *worktree = NULL;
 	struct got_repository *repo = NULL;
+	struct stat sb;
 	const char *errstr;
 	char *cwd = NULL;
 	int ch, nop = 0, strip = -1, reverse = 0;
@@ -7980,6 +7981,14 @@ cmd_patch(int argc, char *argv[])
 			error = got_error_from_errno2("open", argv[0]);
 			return error;
 		}
+		if (fstat(patchfd, &sb) == -1) {
+			error = got_error_from_errno2("fstat", argv[0]);
+			goto done;
+		}
+		if (!S_ISREG(sb.st_mode)) {
+			error = got_error_path(argv[0], GOT_ERR_BAD_FILETYPE);
+			goto done;
+		}
 	} else
 		usage_patch();