From fcccb7c7264f5063a9fc103e425a072778a20b3a Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Thu, 6 Oct 2022 10:59:16 +0000 Subject: [PATCH 1/2] Adding tarfile member sanitization to extractall() --- ch08/files/compression/tar.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/ch08/files/compression/tar.py b/ch08/files/compression/tar.py index 69af6c2..593c0fc 100644 --- a/ch08/files/compression/tar.py +++ b/ch08/files/compression/tar.py @@ -8,4 +8,26 @@ tar.add('subfolder/content4.txt') with tarfile.open('example.tar.gz', 'r:gz') as tar: - tar.extractall('extract_tar') + + import os + + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, "extract_tar") From 8f08c1b031972e57b8b9a28b85a903a5ee2bd0cb Mon Sep 17 00:00:00 2001 From: Packt-ITService <62882280+Packt-ITService@users.noreply.github.com> Date: Wed, 18 Jan 2023 14:57:10 +0530 Subject: [PATCH 2/2] remove 5$ campaign - 2022 --- README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/README.md b/README.md index 6170729..047c443 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,4 @@ -### Get this product for $5 - -Packt is having its biggest sale of the year. Get this eBook or any other book, video, or course that you like just for $5 each - - -

[Buy now](https://packt.link/9781801815093)

 - - -

[Buy similar titles for just $5](https://subscription.packtpub.com/search)

 # Learn Python Programming 3rd Edition