File 001-do-not-allow-slash-in-canonname-CVE-2019-3681.patch of Package osc.15227

diff --git a/osc/fetch.py b/osc/fetch.py
index b96d1aec..273ec8cf 100644
--- a/osc/fetch.py
+++ b/osc/fetch.py
@@ -224,6 +224,8 @@ class Fetcher:
                     sys.exit(1)
                 canonname = pac_obj.binary
 
+        if '/' in canonname:
+            raise oscerr.OscIOError(None, 'canonname contains a slash')
         fullfilename = os.path.join(destdir, canonname)
         if pac_obj is not None:
             pac_obj.canonname = canonname
openSUSE Build Service is sponsored by