security-and-privacy/mat2
security-and-privacy/mat2
1
0
Fork 0
mirror of synced 2024-11-24 02:04:23 +01:00
Code Releases Activity

Harden get_meta in archive.py against variants of CVE-2022-35410

Browse Source
This commit is contained in:
Jason Smalls 2023-07-11 21:31:53 +02:00 committed by jvoisin
parent 9159fe8705
commit 1bcb945360
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libmat2/archive.py
View File

@ -146,8 +146,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
if self._is_dir(item): # pragma: no cover if self._is_dir(item): # pragma: no cover
continue # don't keep empty folders continue # don't keep empty folders
zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name) full_path = os.path.join(temp_folder, member_name)
if not os.path.abspath(full_path).startswith(temp_folder):
logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
self.filename, member_name, full_path)
break
zin.extract(member=item, path=temp_folder)
os.chmod(full_path, stat.S_IRUSR) os.chmod(full_path, stat.S_IRUSR)
specific_meta = self._specific_get_meta(full_path, member_name) specific_meta = self._specific_get_meta(full_path, member_name)