mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

explain why extractall is safe to use

Browse source
This commit is contained in:
ed 2022-10-11 17:44:38 +02:00
parent 08977854b3
commit fdb969ea89
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
scripts/sfx.py
View file

@ -269,6 +269,12 @@ def unpack():
raise Exception(t.format(CKSUM, SIZE, ck, sz)) raise Exception(t.format(CKSUM, SIZE, ck, sz))
with tarfile.open(tar, "r:bz2") as tf: with tarfile.open(tar, "r:bz2") as tf:
# this is safe against traversal
# skip 1
# since it will never process user-provided data;
# the only possible input is a single tar.bz2
# which gets hardcoded into this script at build stage
# skip 0
tf.extractall(mine) tf.extractall(mine)
os.remove(tar) os.remove(tar)