mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-08-08 19:00:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adding tarfile member sanitization to extractall()

Browse source
This commit is contained in:
TrellixVulnTeam 2022-10-30 09:19:39 +00:00
parent ef9776755e
commit 0e473d5325
2 changed files with 40 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

21
third_party/python/Lib/tarfile.py vendored
View file

@ -2508,7 +2508,26 @@ def main():
if is_tarfile(src):
with TarFile.open(src, 'r:*') as tf:
tf.extractall(path=curdir)
def is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonprefix([abs_directory, abs_target])
return prefix == abs_directory
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")
tar.extractall(path, members, numeric_owner=numeric_owner)
safe_extract(tf, path=curdir)
if args.verbose:
if curdir == '.':
msg = '{!r} file is extracted.'.format(src)

21
third_party/python/Lib/test/test_tarfile.py vendored
View file

@ -614,7 +614,26 @@ class MiscReadTestBase(CommonReadTest):
with support.temp_dir(DIR), \
tarfile.open(tarname, encoding="iso8859-1") as tar:
directories = [t for t in tar if t.isdir()]
tar.extractall(DIR, directories)
def is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonprefix([abs_directory, abs_target])
return prefix == abs_directory
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")
tar.extractall(path, members, numeric_owner=numeric_owner)
safe_extract(tar, DIR, directories)
for tarinfo in directories:
path = DIR / tarinfo.name
self.assertEqual(os.path.getmtime(path), tarinfo.mtime)