|
|
|
@ -422,7 +422,26 @@ def _decompress(fname): |
|
|
|
|
|
|
|
if fname.find('tar') >= 0: |
|
|
|
with tarfile.open(fname) as tf: |
|
|
|
tf.extractall(path=fpath_tmp) |
|
|
|
def is_within_directory(directory, target): |
|
|
|
|
|
|
|
abs_directory = os.path.abspath(directory) |
|
|
|
abs_target = os.path.abspath(target) |
|
|
|
|
|
|
|
prefix = os.path.commonprefix([abs_directory, abs_target]) |
|
|
|
|
|
|
|
return prefix == abs_directory |
|
|
|
|
|
|
|
def safe_extract(tar, path=".", members=None, *, numeric_owner=False): |
|
|
|
|
|
|
|
for member in tar.getmembers(): |
|
|
|
member_path = os.path.join(path, member.name) |
|
|
|
if not is_within_directory(path, member_path): |
|
|
|
raise Exception("Attempted Path Traversal in Tar File") |
|
|
|
|
|
|
|
tar.extractall(path, members, numeric_owner=numeric_owner) |
|
|
|
|
|
|
|
|
|
|
|
safe_extract(tf, path=fpath_tmp) |
|
|
|
elif fname.find('zip') >= 0: |
|
|
|
with zipfile.ZipFile(fname) as zf: |
|
|
|
zf.extractall(path=fpath_tmp) |
|
|
|
|
TrellixVulnTeam
2 years ago