python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-26 09:14:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding tarfile member sanitization to extractall()

Browse Source
This commit is contained in:
TrellixVulnTeam 2022-10-30 23:44:48 +00:00 committed by nulano
parent 4fc0a4ceb2
commit e50a3a213e
No known key found for this signature in database
GPG Key ID: B650CDF63B705766
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
winbuild/build_prepare.py
View File

@ -474,7 +474,26 @@ def extract_dep(url, filename):
zf.extractall(sources_dir) zf.extractall(sources_dir)
elif filename.endswith(".tar.gz") or filename.endswith(".tgz"): elif filename.endswith(".tar.gz") or filename.endswith(".tgz"):
with tarfile.open(file, "r:gz") as tgz: with tarfile.open(file, "r:gz") as tgz:
tgz.extractall(sources_dir) def is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonprefix([abs_directory, abs_target])
return prefix == abs_directory
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")
tar.extractall(path, members, numeric_owner=numeric_owner)
safe_extract(tgz, sources_dir)
else: else:
raise RuntimeError("Unknown archive type: " + filename) raise RuntimeError("Unknown archive type: " + filename)