From c7efa4cee705ec9f43eef9d8f9d021f58f834a8c Mon Sep 17 00:00:00 2001
From: Balasankar C <balasankarc@autistici.org>
Date: Thu, 17 Aug 2017 19:03:37 +0530
Subject: [PATCH] Add patch for CVE-2016-9086

---
 debian/patches/cve-2016-9086-fix.patch | 47 ++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 debian/patches/cve-2016-9086-fix.patch

diff --git a/debian/patches/cve-2016-9086-fix.patch b/debian/patches/cve-2016-9086-fix.patch
new file mode 100644
index 0000000000..d57950c16b
--- /dev/null
+++ b/debian/patches/cve-2016-9086-fix.patch
@@ -0,0 +1,47 @@
+Description: Fix file disclosure via hidden symlinks using the project import
+Author: Rémy Coutable <remy@gitlab.com>
+Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/36091
+Last-Update: 2017-08-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/gitlab/import_export/file_importer.rb
++++ b/lib/gitlab/import_export/file_importer.rb
+@@ -47,12 +47,16 @@
+       end
+ 
+       def remove_symlinks!
+-        Dir["#{@shared.export_path}/**/*"].each do |path|
++        extracted_files.each do |path|
+           FileUtils.rm(path) if File.lstat(path).symlink?
+         end
+ 
+         true
+       end
++
++      def extracted_files
++        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ /.*\/\.{1,2}$/ }
++      end
+     end
+   end
+ end
+--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
++++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
+@@ -5,6 +5,7 @@
+   let(:export_path) { "#{Dir::tmpdir}/file_importer_spec" }
+   let(:valid_file) { "#{shared.export_path}/valid.json" }
+   let(:symlink_file) { "#{shared.export_path}/invalid.json" }
++  let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
+   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+ 
+   before do
+@@ -25,6 +26,10 @@
+     expect(File.exist?(symlink_file)).to be false
+   end
+ 
++  it 'removes hidden symlinks in root folder' do
++    expect(File.exist?(hidden_symlink_file)).to be false
++  end
++
+   it 'removes symlinks in subfolders' do
+     expect(File.exist?(subfolder_symlink_file)).to be false
+   end
diff --git a/debian/patches/series b/debian/patches/series
index 15d9a1215c..9b95d52b8c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+cve-2016-9086-fix.patch
 0005-use-debian-omniauth-ldap.patch
 0018-loosen-rdoc.patch
 0050-relax-stable-libs.patch