[diffoscope] 01/01: Better way of performing the entry name sanitisation

Ximin Luo infinity0 at debian.org
Thu Feb 9 21:30:22 UTC 2017 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository diffoscope.

commit e0563c81b745beab9f17fe7274d9d9c5d9775ef1
Author: Ximin Luo <infinity0 at debian.org>
Date:   Thu Feb 9 22:30:15 2017 +0100

    Better way of performing the entry name sanitisation
---
 debian/changelog                           |  2 +-
 diffoscope/comparators/utils/libarchive.py | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 20f36d8..0f4fd27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
 diffoscope (76) UNRELEASED; urgency=medium
 
   * Don't write to arbitrary locations when extracting archive members.
-    (Closes: #XXXXXX)
+    (Closes: #854723)
 
  -- Ximin Luo <infinity0 at debian.org>  Thu, 09 Feb 2017 22:14:46 +0100
 
diff --git a/diffoscope/comparators/utils/libarchive.py b/diffoscope/comparators/utils/libarchive.py
index 3eca2c6..2acbb74 100644
--- a/diffoscope/comparators/utils/libarchive.py
+++ b/diffoscope/comparators/utils/libarchive.py
@@ -212,15 +212,23 @@ class LibarchiveContainer(Archive):
                 if entry.isdir:
                     continue
 
-                clean_name = os.path.basename(entry.pathname.rstrip('/' + os.sep))
-                if not clean_name:
+                # All extracted locations must be underneath self._unpacked
+                force_prefix = os.path.join(self._unpacked, "")
+
+                # Try to pick a safe and reasonable candidate name
+                candidate_name = os.path.normpath(entry.pathname.rstrip('/' + os.sep))
+                if os.path.isabs(candidate_name):
+                    candidate_name = os.path.relpath(candidate_name, os.path.join(os.path.sep))
+
+                dst = os.path.normpath(os.path.join(self._unpacked, candidate_name))
+                if not dst.startswith(force_prefix):
                     logger.warn("Skipping member because we could not make a safe name to extract it to: '%s'",
                                 entry.pathname)
                     continue
 
                 # TODO: need to fix reading these cleaned members. currently
                 # reading will still try to use the uncleaned name.
-                dst = os.path.join(self._unpacked, clean_name)
+                #logging.debug("Extracting %s to %s", entry.pathname, dst)
                 os.makedirs(os.path.dirname(dst), exist_ok=True)
 
                 with open(dst, 'wb') as f:

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/diffoscope.git

More information about the Reproducible-commits mailing list