Skip to content

Commit a5a6b78

Browse files
author
Shamal Faily
committed
Fix uncontrolled data used in path expression
1 parent e2e1ccf commit a5a6b78

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

cairis/bin/cimport.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,10 +56,18 @@ def main(args=None):
5656
file_import(importFile,mFormat,overwriteFlag)
5757

5858
def safe_extract(zf, member, target_dir):
59+
if (os.path.isabs(member)):
60+
raise ARMException('Invalid path in package: ' + member)
5961
normalised_member = os.path.normpath(member)
6062
target_path = os.path.abspath(os.path.join(target_dir, normalised_member))
6163
target_dir_abs = os.path.abspath(target_dir)
62-
if (os.path.commonpath([target_dir_abs, target_path]) != target_dir_abs):
64+
65+
try:
66+
common = os.path.commonpath([target_dir_abs, target_path])
67+
except ValueError:
68+
raise ARMException('Invalid path in package: ' + member)
69+
70+
if common != target_dir_abs:
6371
raise ARMException('Invalid path in package: ' + member)
6472

6573
with open(target_path, 'wb') as out_f:

0 commit comments

Comments
 (0)