mirror of
https://github.com/samba-team/samba.git
synced 2025-12-16 00:23:52 +03:00
python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Andreas Schneider
committed by
Andrew Bartlett
Andrew Bartlett
parent
431f7698e4
commit
1f74f9f366
@@ -35,17 +35,7 @@ class TarFile(UnsafeTarFile):
|
||||
except AttributeError:
|
||||
def extract(self, member, path="", set_attrs=True, *,
|
||||
numeric_owner=False):
|
||||
if isinstance(member, TarInfo):
|
||||
name = member.name
|
||||
else:
|
||||
name = member
|
||||
|
||||
if '../' in name:
|
||||
raise ExtractError(f"'../' is not allowed in path '{name}'")
|
||||
|
||||
if name.startswith('/'):
|
||||
raise ExtractError(f"path '{name}' should not start with '/'")
|
||||
|
||||
self._safetarfile_check()
|
||||
super().extract(member, path, set_attrs=set_attrs,
|
||||
numeric_owner=numeric_owner)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user