From e6f5b9cea46583eca628722129e85ba822c31bd3 Mon Sep 17 00:00:00 2001 From: Kurt Neufeld Date: Fri, 3 Jun 2016 14:32:52 -0700 Subject: [PATCH] verify that extracted files are inside abs_destname also fixed bug where TwistedReceiver.abs_destname was not in fact absolute. --- src/wormhole/cli/cmd_receive.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/wormhole/cli/cmd_receive.py b/src/wormhole/cli/cmd_receive.py index 239ef61..7725305 100644 --- a/src/wormhole/cli/cmd_receive.py +++ b/src/wormhole/cli/cmd_receive.py @@ -223,7 +223,7 @@ class TwistedReceiver: destname = os.path.basename(destname) if self.args.output_file: destname = self.args.output_file # override - abs_destname = os.path.join(self.args.cwd, destname) + abs_destname = os.path.abspath( os.path.join(self.args.cwd, destname) ) # get confirmation from the user before writing to the local directory if os.path.exists(abs_destname): @@ -290,11 +290,16 @@ class TwistedReceiver: the zipfile module does not restore file permissions so we'll do it manually """ + out_path = os.path.join( extract_dir, info.filename ) + out_path = os.path.abspath( out_path ) + if not out_path.startswith( extract_dir ): + raise ValueError( "malicious zipfile, %s outside of extract_dir %s" + % (info.filename, extract_dir) ) + zf.extract( info.filename, path=extract_dir ) # not sure why zipfiles store the perms 16 bits away but they do - perm = info.external_attr >> 16L - out_path = os.path.join( extract_dir, info.filename ) + perm = info.external_attr >> 16 os.chmod( out_path, perm ) self._msg(u"Unpacking zipfile..")