Skip to content

Commit

Permalink
update_pdfium: fix tar vuln false negatives (e. g. '/dest', '/dest2')
Browse files Browse the repository at this point in the history 
https://gist.github.com/Kasimir123/9bdc38f2eac9a19f83ef6cc52c7ce82e?permalink_comment_id=4485787#gistcomment-4485787
  • Loading branch information
@mara004
mara004 committed Feb 27, 2023
1 parent 369af47 commit a6d43a7
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions setupsrc/pypdfium2_setup/update_pdfium.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import argparse
import traceback
import functools
import os.path
from pathlib import Path
from urllib import request
from concurrent.futures import ThreadPoolExecutor
Expand Down Expand Up @@ -88,11 +89,8 @@ def safe_extract(tar, dest_dir, **kwargs):

dest_dir = dest_dir.resolve()
for member in tar.getmembers():
# if str(dest_dir) != os.path.commonprefix( [dest_dir, (dest_dir/member.name).resolve()] ):
# ^ initial @Kasimir123/@TrellixVulnTeam logic, simplified into a one-liner; code below should have same effect
# (yes, this also works against absolute paths)
# if not (dest_dir/member.name).resolve().is_relative_to(dest_dir): # python >= 3.9
if not str( (dest_dir/member.name).resolve() ).startswith( str(dest_dir) ):
if str(dest_dir) != os.path.commonprefix( [dest_dir, (dest_dir/member.name).resolve()] ):
raise RuntimeError("Attempted path traversal in tar archive (probably malicious).")
tar.extractall(dest_dir, **kwargs)

Expand Down

0 comments on commit a6d43a7

Please sign in to comment.