1
0
mirror of synced 2024-11-22 01:04:23 +01:00

Prevent arbitrary file read via zip archives

A zip file with a file pointing to /etc/passwd would, upon being cleaned by
mat2, produce a file with the filesystem's /etc/passwd file.
This commit is contained in:
jvoisin 2022-07-05 16:27:07 +02:00
parent e2c4dbf721
commit beebca4bf1

View File

@ -190,8 +190,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
if member_name[-1] == '/': # `is_dir` is added in Python3.6
continue # don't keep empty folders
zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name)
if not os.path.abspath(full_path).startswith(temp_folder):
logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
self.filename, member_name, full_path)
abort = True
break
zin.extract(member=item, path=temp_folder)
try:
original_permissions = os.stat(full_path).st_mode