Ticket #27659: patch.diff

File patch.diff, 3.1 KB (added by Florian Apolloner, 7 years ago)

  • django/utils/archive.py 

    diff --git a/django/utils/archive.py b/django/utils/archive.py
index 13f8afa..f8032d8 100644
    a b  
    2727import zipfile
    2828
    2929from django.utils import six
     30from django.utils._os import safe_join
    3031
    3132
    3233class ArchiveException(Exception):
    def extract(self, to_path):  
    146147            name = member.name
    147148            if leading:
    148149                name = self.split_leading_dir(name)[1]
    149             filename = os.path.join(to_path, name)
     150            filename = safe_join(to_path, name)
    150151            if member.isdir():
    151152                if filename and not os.path.exists(filename):
    152153                    os.makedirs(filename)
    def extract(self, to_path):  
    187188            data = self._archive.read(name)
    188189            if leading:
    189190                name = self.split_leading_dir(name)[1]
    190             filename = os.path.join(to_path, name)
     191            if not name:
     192                continue
     193            filename = safe_join(to_path, name)
    191194            dirname = os.path.dirname(filename)
    192195            if dirname and not os.path.exists(dirname):
    193196                os.makedirs(dirname)
    194             if filename.endswith(('/', '\\')):
     197            if name.endswith(('/', '\\')):
    195198                # A directory
    196199                if not os.path.exists(filename):
    197200                    os.makedirs(filename)

  • tests/utils_tests/test_archive.py 

    diff --git a/tests/utils_tests/archives/absolute.tar b/tests/utils_tests/archives/absolute.tar
new file mode 100644
index 0000000..4522447
Binary files /dev/null and b/tests/utils_tests/archives/absolute.tar differ
diff --git a/tests/utils_tests/archives/dotdot.tar b/tests/utils_tests/archives/dotdot.tar
new file mode 100644
index 0000000..30cf436
Binary files /dev/null and b/tests/utils_tests/archives/dotdot.tar differ
diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py
index d1dc5f2..929d22a 100644
    a b  
    33import tempfile
    44import unittest
    55
     6from django.core.exceptions import SuspiciousFileOperation
    67from django.utils._os import upath
    78from django.utils.archive import Archive, extract
    89
    def check_files(self, tmpdir):  
    6061        self.assertTrue(os.path.isfile(os.path.join(self.tmpdir, 'foo', 'bar', '2')))
    6162
    6263
     64class TestSafeUnarchival(unittest.TestCase):
     65
     66    def setUp(self):
     67        """
     68        Create temporary directory for testing extraction.
     69        """
     70        self.old_cwd = os.getcwd()
     71        self.tmpdir = tempfile.mkdtemp()
     72        self.addCleanup(shutil.rmtree, self.tmpdir)
     73        # Always start off in TEST_DIR.
     74        os.chdir(TEST_DIR)
     75
     76    def test_absolute_path(self):
     77        path = os.path.join(TEST_DIR, 'absolute.tar')
     78        with self.assertRaises(SuspiciousFileOperation):
     79            extract(path)
     80
     81    def test_no_dotdot_in_path(self):
     82        path = os.path.join(TEST_DIR, 'dotdot.tar')
     83        with self.assertRaises(SuspiciousFileOperation):
     84            extract(path)
     85
     86
    6387class TestZip(ArchiveTester, unittest.TestCase):
    6488    archive = 'foobar.zip'
    6589
Back to Top