explain why extractall is safe to use

2025-08-17 09:02:15 -06:00 · 2022-10-11 17:44:38 +02:00 · 2022-10-11 17:44:38 +02:00 · fdb969ea89
parent 08977854b3
commit fdb969ea89
1 changed files with 6 additions and 0 deletions
--- a/scripts/sfx.py
+++ b/scripts/sfx.py
@ -269,6 +269,12 @@ def unpack():
        raise Exception(t.format(CKSUM, SIZE, ck, sz))

    with tarfile.open(tar, "r:bz2") as tf:
+        # this is safe against traversal
+        # skip 1
+        # since it will never process user-provided data;
+        # the only possible input is a single tar.bz2
+        # which gets hardcoded into this script at build stage
+        # skip 0
        tf.extractall(mine)

    os.remove(tar)