Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
jvoisin
mat2
Commits
e2c4dbf7
Commit
e2c4dbf7
authored
Jul 05, 2022
by
jvoisin
Browse files
Show a scary message in case of path traversal attempt
parent
704367f9
Pipeline
#96628
passed with stages
in 2 minutes and 13 seconds
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
libmat2/archive.py
View file @
e2c4dbf7
...
...
@@ -193,14 +193,24 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
zin
.
extract
(
member
=
item
,
path
=
temp_folder
)
full_path
=
os
.
path
.
join
(
temp_folder
,
member_name
)
original_permissions
=
os
.
stat
(
full_path
).
st_mode
try
:
original_permissions
=
os
.
stat
(
full_path
).
st_mode
except
FileNotFoundError
:
logging
.
error
(
"Something went wrong during processing of "
"%s in %s, likely a path traversal attack."
,
member_name
,
self
.
filename
)
abort
=
True
# we're breaking instead of continuing, because this exception
# is raised in case of weird path-traversal-like atttacks.
break
os
.
chmod
(
full_path
,
original_permissions
|
stat
.
S_IWUSR
|
stat
.
S_IRUSR
)
original_compression
=
self
.
_get_member_compression
(
item
)
if
self
.
_specific_cleanup
(
full_path
)
is
False
:
logging
.
warning
(
"Something went wrong during deep cleaning of %s"
,
member_name
)
logging
.
warning
(
"Something went wrong during deep cleaning of
%s in
%s"
,
member_name
,
self
.
filename
)
abort
=
True
continue
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment