verify that extracted files are inside abs_destname
also fixed bug where TwistedReceiver.abs_destname was not in fact absolute.
This commit is contained in:
parent
b04e434ad4
commit
e6f5b9cea4
|
@ -223,7 +223,7 @@ class TwistedReceiver:
|
||||||
destname = os.path.basename(destname)
|
destname = os.path.basename(destname)
|
||||||
if self.args.output_file:
|
if self.args.output_file:
|
||||||
destname = self.args.output_file # override
|
destname = self.args.output_file # override
|
||||||
abs_destname = os.path.join(self.args.cwd, destname)
|
abs_destname = os.path.abspath( os.path.join(self.args.cwd, destname) )
|
||||||
|
|
||||||
# get confirmation from the user before writing to the local directory
|
# get confirmation from the user before writing to the local directory
|
||||||
if os.path.exists(abs_destname):
|
if os.path.exists(abs_destname):
|
||||||
|
@ -290,11 +290,16 @@ class TwistedReceiver:
|
||||||
the zipfile module does not restore file permissions
|
the zipfile module does not restore file permissions
|
||||||
so we'll do it manually
|
so we'll do it manually
|
||||||
"""
|
"""
|
||||||
|
out_path = os.path.join( extract_dir, info.filename )
|
||||||
|
out_path = os.path.abspath( out_path )
|
||||||
|
if not out_path.startswith( extract_dir ):
|
||||||
|
raise ValueError( "malicious zipfile, %s outside of extract_dir %s"
|
||||||
|
% (info.filename, extract_dir) )
|
||||||
|
|
||||||
zf.extract( info.filename, path=extract_dir )
|
zf.extract( info.filename, path=extract_dir )
|
||||||
|
|
||||||
# not sure why zipfiles store the perms 16 bits away but they do
|
# not sure why zipfiles store the perms 16 bits away but they do
|
||||||
perm = info.external_attr >> 16L
|
perm = info.external_attr >> 16
|
||||||
out_path = os.path.join( extract_dir, info.filename )
|
|
||||||
os.chmod( out_path, perm )
|
os.chmod( out_path, perm )
|
||||||
|
|
||||||
self._msg(u"Unpacking zipfile..")
|
self._msg(u"Unpacking zipfile..")
|
||||||
|
|
Loading…
Reference in New Issue
Block a user