Commit beebca4b authored by jvoisin's avatar jvoisin
Browse files

Prevent arbitrary file read via zip archives

A zip file with a file pointing to /etc/passwd would, upon being cleaned by
mat2, produce a file with the filesystem's /etc/passwd file.
parent e2c4dbf7
Pipeline #96635 passed with stages
in 2 minutes and 13 seconds
......@@ -190,8 +190,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
if member_name[-1] == '/': # `is_dir` is added in Python3.6
continue # don't keep empty folders
zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name)
if not os.path.abspath(full_path).startswith(temp_folder):
logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
self.filename, member_name, full_path)
abort = True
break
zin.extract(member=item, path=temp_folder)
try:
original_permissions = os.stat(full_path).st_mode
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment