Support for patches that add or remove files

[GoogleCodeExporter]

I noticed that patch.py does not support patches that add or remove files.
Following patch against v245 adds support for this.

Original issue reported on code.google.com by [email protected] on 12 Dec 2014 at 4:25

Attachments:

• patch-support-new-files-20141212.diff

[ghost]

Hello. I was wondering if there was any timescale for applying and making a release with the create/remove functionality. I'd love to use patch.py (just testing it out for the first time today), and this is a blocker. Is there anything missing in the last patch attached here which is lacking/missing which you need a hand with?

Kind regards,
Roger

[techtonik]

@rleigh-dundee hi, glad you find it useful. The last patch lacks a proper security research:

1. that created files do not fall outside of scope of patch local directory
2. that API still allows to use patches with absolute paths if people really need them

Patching existing files is already a danger, but creating them opens several new attack vectors. I am not getting time for it, because I am actively looking for a solution to refill my living cost funds, and so far no proposal included the work on patch.py

Actionable items include:

1. review that filename normalization function is secure

   python-patch/patch.py

   Line 683 in e659ebd
2. write missing tests for it
3. run it against existing test suites for filename sanitization (and find those suites)