From 2687775ea356b2e8e94990250324e1697904c163 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Thu, 8 Dec 2022 08:10:08 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- .../pygments/lexers/_php_builtins.py | 21 ++++++++++++++++++- Python/Linux/local/lib/python3.6/tarfile.py | 21 ++++++++++++++++++- .../pygments/lexers/_php_builtins.py | 21 ++++++++++++++++++- 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/Python/Linux/local/lib/python3.6/site-packages/pygments/lexers/_php_builtins.py b/Python/Linux/local/lib/python3.6/site-packages/pygments/lexers/_php_builtins.py index ad54492..359792d 100644 --- a/Python/Linux/local/lib/python3.6/site-packages/pygments/lexers/_php_builtins.py +++ b/Python/Linux/local/lib/python3.6/site-packages/pygments/lexers/_php_builtins.py @@ -4726,7 +4726,26 @@ def get_php_functions(): def get_php_references(): download = urlretrieve(PHP_MANUAL_URL) with tarfile.open(download[0]) as tar: - tar.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar) yield from glob.glob("%s%s" % (PHP_MANUAL_DIR, PHP_REFERENCE_GLOB)) os.remove(download[0]) diff --git a/Python/Linux/local/lib/python3.6/tarfile.py b/Python/Linux/local/lib/python3.6/tarfile.py index 24e3f4d..77b766d 100644 --- a/Python/Linux/local/lib/python3.6/tarfile.py +++ b/Python/Linux/local/lib/python3.6/tarfile.py @@ -2506,7 +2506,26 @@ def main(): if is_tarfile(src): with TarFile.open(src, 'r:*') as tf: - tf.extractall(path=curdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf, path=curdir) if args.verbose: if curdir == '.': msg = '{!r} file is extracted.'.format(src) diff --git a/Python/Windows/bin/Lib/site-packages/pygments/lexers/_php_builtins.py b/Python/Windows/bin/Lib/site-packages/pygments/lexers/_php_builtins.py index ad54492..359792d 100644 --- a/Python/Windows/bin/Lib/site-packages/pygments/lexers/_php_builtins.py +++ b/Python/Windows/bin/Lib/site-packages/pygments/lexers/_php_builtins.py @@ -4726,7 +4726,26 @@ def get_php_functions(): def get_php_references(): download = urlretrieve(PHP_MANUAL_URL) with tarfile.open(download[0]) as tar: - tar.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar) yield from glob.glob("%s%s" % (PHP_MANUAL_DIR, PHP_REFERENCE_GLOB)) os.remove(download[0])