From e2ae0f8630c9e2a424cb6fac7d176cf84d8f3fc3 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Tue, 13 Aug 2024 22:24:41 -0700 Subject: [PATCH] CVE fix for 'safe extract' tar is covered by filter --- iso/empanadas/empanadas/util/shared.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/iso/empanadas/empanadas/util/shared.py b/iso/empanadas/empanadas/util/shared.py index f0520ea..987139d 100644 --- a/iso/empanadas/empanadas/util/shared.py +++ b/iso/empanadas/empanadas/util/shared.py @@ -1214,6 +1214,8 @@ class Shared: def tar_is_within_directory(directory, target): """ CVE-2007-4559 + + Function is obsolete. Will be removed in a future version. """ abs_directory = os.path.abspath(directory) abs_target = os.path.abspath(target) @@ -1223,19 +1225,14 @@ class Shared: @staticmethod def tar_safe_extractall(tar, path=".", - members=None, *, numeric_owner=False ): """ - CVE-2007-4559 + CVE-2007-4559 is addressed by setting filter='tar'. This function will + remain here to reduce changes to utilities. """ - for member in tar.getmembers(): - member_path = os.path.join(path, member.name) - if not Shared.tar_is_within_directory(path, member_path): - raise Exception("Path traversal attempted in tar file") - - tar.extractall(path=path, members=members, numeric_owner=numeric_owner) + tar.extractall(path=path, numeric_owner=numeric_owner, filter='tar') @staticmethod def dnf_sync(repo, sync_root, work_root, arch, logger):