![]() ![]() ![]() Print >stderr, finfo.name, "is blocked (illegal path)"Įlif finfo.issym() and badlink(finfo,base): Tip = resolved(joinpath(base, dirname(info.name))) # Links are interpreted relative to the directory containing the link Return not resolved(joinpath(base,path)).startswith(base) # joinpath will ignore base if path is absolute Resolved = lambda x: realpath(abspath(x)) import tarfileįrom os.path import abspath, realpath, dirname, join as joinpath I'm curious to hear if anyone can sneak any stray files or links past it. It prohibits not only the extraction of files to locations outside the sandbox (which is what was requested), but also the creation of links inside the sandbox that point to locations outside the sandbox. Since you ask for code, here's a bit that explicates the algorithm. Fortunately extractall() accepts a generator, so this is easy to do. The easiest way to do so is to wait until the previous files have been extracted and use os.path.realpath(). points to sandbox, so the path sandbox/subdir/foo/./.bashrc should be disallowed. Even a symlink that points within the sandbox can be dangerous: The symlink sandbox/subdir/foo ->. That's the aforementioned caveat: abspath will be misled if your sandbox already contains a symlink that points to a directory. This is important if you are worried about a proverbial "malicious user" that would intentionally bypass your security, rather than an application that simply installs itself in system libraries. If you normalize a path from your zipfile with abspath and it does not contain the current directory as a prefix, it's pointing outside it.īut you also need to check the value of any symlink extracted from your archive (both tarfiles and unix zipfiles can store symlinks). To figure out where a path really points to, use os.path.abspath() (but note the caveat about symlinks as path components). Note: Starting with python 2.7.4, this is a non-issue for ZIP archives. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |