1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Add path checking for relative/escaped tar filenames in the ansible-galaxy command

This commit is contained in:
James Cammarata 2014-08-05 13:29:43 -05:00
parent a45c3b84f3
commit f8845af195

View file

@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
# verify the role's meta file # verify the role's meta file
meta_file = None meta_file = None
members = role_tar_file.getmembers() members = role_tar_file.getmembers()
# next find the metadata file
for member in members: for member in members:
if "/meta/main.yml" in member.name: if "/meta/main.yml" in member.name:
meta_file = member meta_file = member
@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):
# now we do the actual extraction to the role_path # now we do the actual extraction to the role_path
for member in members: for member in members:
# we only extract files # we only extract files, and remove any relative path
# bits that might be in the file for security purposes
# and drop the leading directory, as mentioned above
if member.isreg(): if member.isreg():
member.name = "/".join(member.name.split("/")[1:]) parts = member.name.split("/")[1:]
final_parts = []
for part in parts:
if part != '..' and '~' not in part and '$' not in part:
final_parts.append(part)
member.name = os.path.join(*final_parts)
role_tar_file.extract(member, role_path) role_tar_file.extract(member, role_path)
# write out the install info file for later use # write out the install info file for later use