[diffoscope] 02/02: Don't write to arbitrary locations when extracting archive members

Ximin Luo infinity0 at debian.org
Thu Feb 9 22:16:33 CET 2017 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository diffoscope.

commit 7195a5cc22de7b9cfc7b31fa11503428cb5e4da6
Author: Ximin Luo <infinity0 at debian.org>
Date:   Thu Feb 9 22:16:00 2017 +0100

    Don't write to arbitrary locations when extracting archive members
---
 debian/changelog                           | 7 +++++++
 diffoscope/comparators/utils/libarchive.py | 9 +++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d045b5d..20f36d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+diffoscope (76) UNRELEASED; urgency=medium
+
+  * Don't write to arbitrary locations when extracting archive members.
+    (Closes: #XXXXXX)
+
+ -- Ximin Luo <infinity0 at debian.org>  Thu, 09 Feb 2017 22:14:46 +0100
+
 diffoscope (75) unstable; urgency=medium
 
   [ Chris Lamb ]
diff --git a/diffoscope/comparators/utils/libarchive.py b/diffoscope/comparators/utils/libarchive.py
index 17c3727..3eca2c6 100644
--- a/diffoscope/comparators/utils/libarchive.py
+++ b/diffoscope/comparators/utils/libarchive.py
@@ -212,10 +212,15 @@ class LibarchiveContainer(Archive):
                 if entry.isdir:
                     continue
 
-                if not os.path.basename(entry.pathname.rstrip('/' + os.sep)):
+                clean_name = os.path.basename(entry.pathname.rstrip('/' + os.sep))
+                if not clean_name:
+                    logger.warn("Skipping member because we could not make a safe name to extract it to: '%s'",
+                                entry.pathname)
                     continue
 
-                dst = os.path.join(self._unpacked, entry.pathname)
+                # TODO: need to fix reading these cleaned members. currently
+                # reading will still try to use the uncleaned name.
+                dst = os.path.join(self._unpacked, clean_name)
                 os.makedirs(os.path.dirname(dst), exist_ok=True)
 
                 with open(dst, 'wb') as f:

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/diffoscope.git

More information about the diffoscope mailing list