From 1bcb945360e757e5fa881dc274d9dae8dd825afb Mon Sep 17 00:00:00 2001
From: Jason Smalls <smallsjason986@gmail.com>
Date: Tue, 11 Jul 2023 21:31:53 +0200
Subject: [PATCH] Harden get_meta in archive.py against variants of
 CVE-2022-35410

---
 libmat2/archive.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libmat2/archive.py b/libmat2/archive.py
index 847f81c..5978846 100644
--- a/libmat2/archive.py
+++ b/libmat2/archive.py
@@ -146,8 +146,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
                 if self._is_dir(item):  # pragma: no cover
                     continue  # don't keep empty folders
 
-                zin.extract(member=item, path=temp_folder)
                 full_path = os.path.join(temp_folder, member_name)
+                if not os.path.abspath(full_path).startswith(temp_folder):
+                    logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
+                        self.filename, member_name, full_path)
+                    break
+
+                zin.extract(member=item, path=temp_folder)
+
                 os.chmod(full_path, stat.S_IRUSR)
 
                 specific_meta = self._specific_get_meta(full_path, member_name)