fix _decompress security problem (PaddlePaddle#61294) (PaddlePaddle#6…

…1337)
hanhaowen-mt · Jan 31, 2024 · 0227a0d · 0227a0d
1 parent aeaa0ca
commit 0227a0d
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/python/paddle/utils/download.py b/python/paddle/utils/download.py
@@ -311,7 +311,10 @@ def _decompress(fname):
 
 def _uncompress_file_zip(filepath):
     with zipfile.ZipFile(filepath, 'r') as files:
-        file_list = files.namelist()
+        file_list_tmp = files.namelist()
+        file_list = []
+        for file in file_list_tmp:
+            file_list.append(file.replace("../", ""))
 
         file_dir = os.path.dirname(filepath)
 
@@ -340,7 +343,10 @@ def _uncompress_file_zip(filepath):
 
 def _uncompress_file_tar(filepath, mode="r:*"):
     with tarfile.open(filepath, mode) as files:
-        file_list = files.getnames()
+        file_list_tmp = files.getnames()
+        file_list = []
+        for file in file_list_tmp:
+            file_list.append(file.replace("../", ""))
 
         file_dir = os.path.dirname(filepath)