security-and-privacy/mat2
security-and-privacy/mat2
1
0
Fork 0
mirror of synced 2024-11-22 01:04:23 +01:00
Code Releases Activity

Show a scary message in case of path traversal attempt

Browse Source
This commit is contained in:
jvoisin 2022-07-05 15:30:10 +02:00
parent 704367f91e
commit e2c4dbf721
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libmat2/archive.py
View File

@ -193,14 +193,24 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
zin.extract(member=item, path=temp_folder) zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name) full_path = os.path.join(temp_folder, member_name)
original_permissions = os.stat(full_path).st_mode try:
original_permissions = os.stat(full_path).st_mode
except FileNotFoundError:
logging.error("Something went wrong during processing of "
"%s in %s, likely a path traversal attack.",
member_name, self.filename)
abort = True
# we're breaking instead of continuing, because this exception
# is raised in case of weird path-traversal-like atttacks.
break
os.chmod(full_path, original_permissions | stat.S_IWUSR | stat.S_IRUSR) os.chmod(full_path, original_permissions | stat.S_IWUSR | stat.S_IRUSR)
original_compression = self._get_member_compression(item) original_compression = self._get_member_compression(item)
if self._specific_cleanup(full_path) is False: if self._specific_cleanup(full_path) is False:
logging.warning("Something went wrong during deep cleaning of %s", logging.warning("Something went wrong during deep cleaning of %s in %s",
member_name) member_name, self.filename)
abort = True abort = True
continue continue