fix _decompress security problem (#61294)

PaddlePaddle · Jan 30, 2024 · 4453ce5 · 4453ce5
1 parent 495c991
commit 4453ce5
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/python/paddle/utils/download.py b/python/paddle/utils/download.py
@@ -313,7 +313,10 @@ def _decompress(fname):
 
 def _uncompress_file_zip(filepath):
     with zipfile.ZipFile(filepath, 'r') as files:
-        file_list = files.namelist()
+        file_list_tmp = files.namelist()
+        file_list = []
+        for file in file_list_tmp:
+            file_list.append(file.replace("../", ""))
 
         file_dir = os.path.dirname(filepath)
 
@@ -342,7 +345,10 @@ def _uncompress_file_zip(filepath):
 
 def _uncompress_file_tar(filepath, mode="r:*"):
     with tarfile.open(filepath, mode) as files:
-        file_list = files.getnames()
+        file_list_tmp = files.getnames()
+        file_list = []
+        for file in file_list_tmp:
+            file_list.append(file.replace("../", ""))
 
         file_dir = os.path.dirname(filepath)