Package: pandoc / 2.17.1.1-2~deb12u1

020230623.4~5246f02.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
Description: improve tests for fillMediaBag/extractMedia
 Ensure that the current directory is not changed up if a test fails,
 and fix messages for the assertion failures.
Origin: upstream, https://github.com/jgm/pandoc/commit/5246f02
Author: John MacFarlane <jgm@berkeley.edu>
Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
Forwarded: yes
Last-Update: 2023-07-25
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/test/Tests/MediaBag.hs
+++ b/test/Tests/MediaBag.hs
@@ -6,16 +6,15 @@
 -- import Tests.Helpers
 import Text.Pandoc.Class (extractMedia, fillMediaBag, runIOorExplode)
 import System.IO.Temp (withTempDirectory)
+import Text.Pandoc.Shared (inDirectory)
 import System.FilePath
 import Text.Pandoc.Builder as B
-import System.Directory (doesFileExist, copyFile, setCurrentDirectory, getCurrentDirectory)
+import System.Directory (doesFileExist, copyFile)
 
 tests :: [TestTree]
 tests = [
   testCase "test fillMediaBag & extractMedia" $
-      withTempDirectory "." "extractMediaTest" $ \tmpdir -> do
-        olddir <- getCurrentDirectory
-        setCurrentDirectory tmpdir
+      withTempDirectory "." "extractMediaTest" $ \tmpdir -> inDirectory tmpdir $ do
         copyFile "../../test/lalune.jpg" "moon.jpg"
         let d = B.doc $
                   B.para (B.image "../../test/lalune.jpg" "" mempty) <>
@@ -26,14 +25,13 @@
           fillMediaBag d
           extractMedia "foo" d
         exists1 <- doesFileExist ("foo" </> "moon.jpg")
-        assertBool "file in directory extract with original name" exists1
+        assertBool "file in directory is not extracted with original name" exists1
         exists2 <- doesFileExist ("foo" </> "f9d88c3dbe18f6a7f5670e994a947d51216cdf0e.jpg")
-        assertBool "file above directory extracted with hashed name" exists2
+        assertBool "file above directory is not extracted with hashed name" exists2
         exists3 <- doesFileExist ("foo" </> "2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua")
         exists4 <- doesFileExist "a.lua"
-        assertBool "data uri with malicious payload does not get written to arbitrary location"
+        assertBool "data uri with malicious payload gets written outside of destination dir"
           (exists3 && not exists4)
         exists5 <- doesFileExist ("foo" </> "d5fceb6532643d0d84ffe09c40c481ecdf59e15a.gif")
-        assertBool "data uri with gif is properly decoded" exists5
-        setCurrentDirectory olddir
+        assertBool "data uri with gif is not properly decoded" exists5
   ]