File CVE-2025-68398_1.patch of Package weblate

From 4837a4154390f7c1d03c0e398aa6439dcfa361b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Tue, 16 Dec 2025 08:25:17 +0100
Subject: [PATCH] fix(validators): reject certain paths from being used

Restrict based on the translation-finder blacklist which covers files we
do not want to touch.
---
 weblate/trans/backups.py               |  2 +-
 weblate/utils/files.py                 |  2 +-
 weblate/utils/tests/test_validators.py | 10 ++++++++++
 weblate/utils/validators.py            |  5 ++++-
 4 files changed, 16 insertions(+), 3 deletions(-)

Index: weblate-weblate-5.14.3/weblate/trans/backups.py
===================================================================
--- weblate-weblate-5.14.3.orig/weblate/trans/backups.py
+++ weblate-weblate-5.14.3/weblate/trans/backups.py
@@ -525,7 +525,7 @@ class ProjectBackup:
             self.load_memory(zipfile)
             self.load_components(zipfile)
             for name in zipfile.namelist():
-                validate_filename(name)
+                validate_filename(name, check_prohibited=False)
 
     def restore_unit(
         self,
Index: weblate-weblate-5.14.3/weblate/utils/files.py
===================================================================
--- weblate-weblate-5.14.3.orig/weblate/utils/files.py
+++ weblate-weblate-5.14.3/weblate/utils/files.py
@@ -90,7 +90,7 @@ def should_skip(location):
     )
 
 
-def is_excluded(path):
+def is_excluded(path: str) -> bool:
     """Whether path should be excluded from zip extraction."""
     return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path
 
Index: weblate-weblate-5.14.3/weblate/utils/tests/test_validators.py
===================================================================
--- weblate-weblate-5.14.3.orig/weblate/utils/tests/test_validators.py
+++ weblate-weblate-5.14.3/weblate/utils/tests/test_validators.py
@@ -106,6 +106,16 @@ class FilenameTest(SimpleTestCase):
     def test_empty(self) -> None:
         validate_filename("")
 
+    def test_prohibited(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename(".git/config")
+        validate_filename(".git/config", check_prohibited=False)
+
+    def test_prohibited_subdir(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename("path/.git/config")
+        validate_filename("path/.git/config", check_prohibited=False)
+
 
 class RegexTest(SimpleTestCase):
     def test_empty(self) -> None:
Index: weblate-weblate-5.14.3/weblate/utils/validators.py
===================================================================
--- weblate-weblate-5.14.3.orig/weblate/utils/validators.py
+++ weblate-weblate-5.14.3/weblate/utils/validators.py
@@ -26,6 +26,7 @@ from django.utils.translation import get
 
 from weblate.trans.util import cleanup_path
 from weblate.utils.data import data_dir
+from weblate.utils.files import is_excluded
 
 USERNAME_MATCHER = re.compile(r"^[\w@+-][\w.@+-]*$")
 
@@ -214,7 +215,7 @@ def validate_plural_formula(value) -> No
         ) from error
 
 
-def validate_filename(value) -> None:
+def validate_filename(value: str, *, check_prohibited: bool = True) -> None:
     if "../" in value or "..\\" in value:
         raise ValidationError(
             gettext("The filename can not contain reference to a parent directory.")
@@ -230,6 +231,8 @@ def validate_filename(value) -> None:
                 "Maybe you want to use: {}"
             ).format(cleaned)
         )
+    if check_prohibited and is_excluded(cleaned):
+        raise ValidationError(gettext("The filename contains a prohibited folder."))
 
 
 def validate_backup_path(value: str) -> None: