From 7323c904f86ba9e04065c23422d06c03647589fb Mon Sep 17 00:00:00 2001
From: Marcus Huewe <suse-tux@gmx.de>
Date: Wed, 13 May 2020 22:08:16 +0200
Subject: [PATCH] bs_srcserver: Forbid the creation of a _link in
 mergeservicerun

A _link file is not allowed because it can result in a potential
privilege escalation.

Conflict:NA
Reference:https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb

Signed-off-by:Marcus Huewe <suse-tux@gmx.de>
---
 src/backend/bs_srcserver | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/backend/bs_srcserver b/src/backend/bs_srcserver
index da3f3c3..07e411e 100755
--- a/src/backend/bs_srcserver
+++ b/src/backend/bs_srcserver
@@ -391,6 +391,7 @@ sub mergeservicerun {
   delete $files->{'_service'};
   for (sort keys %$files) {
     next unless /^_service:.*:(.*?)$/s;
+    die("cannot create a link from a service") if $1 eq '_link';
     $files->{$1} = $files->{$_};
     delete $files->{$_};
     BSSrcrep::copyonefile($projid, $packid, $1, $projid, $packid, $_, $files->{$1});
--
2.23.0