Check for CVE-2007-4559

In practice there is little benefit in crafting a TAR that maliciously overwrites files right before reprounzip executes your code. You can just be malicious there. Nevertheless, let's do the right thing.
VIDA-NYU · Oct 29, 2022 · 81e3ea4 · 81e3ea4
1 parent c5393db
commit 81e3ea4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/reprounzip/reprounzip/common.py b/reprounzip/reprounzip/common.py
@@ -348,6 +348,13 @@ def extract_data(self, root, members):
 
         The members must come from get_data().
         """
+        # Check for CVE-2007-4559
+        abs_root = root.absolute()
+        for member in members:
+            member_path = (root / member.name).absolute()
+            if not member_path.lies_under(abs_root):
+                raise ValueError("Invalid path in data tar")
+
         self.data.extractall(str(root), members)
 
     def copy_data_tar(self, target):

diff --git a/reprozip/reprozip/common.py b/reprozip/reprozip/common.py
@@ -348,6 +348,13 @@ def extract_data(self, root, members):
 
         The members must come from get_data().
         """
+        # Check for CVE-2007-4559
+        abs_root = root.absolute()
+        for member in members:
+            member_path = (root / member.name).absolute()
+            if not member_path.lies_under(abs_root):
+                raise ValueError("Invalid path in data tar")
+
         self.data.extractall(str(root), members)
 
     def copy_data_tar(self, target):