diff --git a/python-interpreter/Lib/site-packages/pygments/lexers/_php_builtins.py b/python-interpreter/Lib/site-packages/pygments/lexers/_php_builtins.py index 168cb446..3c0936c6 100644 --- a/python-interpreter/Lib/site-packages/pygments/lexers/_php_builtins.py +++ b/python-interpreter/Lib/site-packages/pygments/lexers/_php_builtins.py @@ -4725,7 +4725,26 @@ def get_php_functions(): def get_php_references(): download = urlretrieve(PHP_MANUAL_URL) with tarfile.open(download[0]) as tar: - tar.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar) yield from glob.glob("%s%s" % (PHP_MANUAL_DIR, PHP_REFERENCE_GLOB)) os.remove(download[0]) diff --git a/python-interpreter/Lib/tarfile.py b/python-interpreter/Lib/tarfile.py index 1d156126..98dd54b0 100644 --- a/python-interpreter/Lib/tarfile.py +++ b/python-interpreter/Lib/tarfile.py @@ -2541,7 +2541,26 @@ def main(): if is_tarfile(src): with TarFile.open(src, 'r:*') as tf: - tf.extractall(path=curdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf, path=curdir) if args.verbose: if curdir == '.': msg = '{!r} file is extracted.'.format(src) diff --git a/python-interpreter/Lib/test/test_tarfile.py b/python-interpreter/Lib/test/test_tarfile.py index 29cde91b..f8d32de7 100644 --- a/python-interpreter/Lib/test/test_tarfile.py +++ b/python-interpreter/Lib/test/test_tarfile.py @@ -644,7 +644,26 @@ def test_extractall_pathlike_name(self): with support.temp_dir(DIR), \ tarfile.open(tarname, encoding="iso8859-1") as tar: directories = [t for t in tar if t.isdir()] - tar.extractall(DIR, directories) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, DIR, directories) for tarinfo in directories: path = DIR / tarinfo.name self.assertEqual(os.path.getmtime(path), tarinfo.mtime)