diff --git a/qtwebengine/src/3rdparty/chromium/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py b/qtwebengine/src/3rdparty/chromium/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py index cb5c4170b14..eccd8a08117 100755 --- a/qtwebengine/src/3rdparty/chromium/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py +++ b/qtwebengine/src/3rdparty/chromium/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py @@ -1700,7 +1700,26 @@ def GetSymbolsPath(version): def ExtractSymbolTarFile(symbol_sub_dir, symbol_tar_file): os.makedirs(symbol_sub_dir) with tarfile.open(os.path.expanduser(symbol_tar_file), "r:bz2") as tar: - tar.extractall(symbol_sub_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, symbol_sub_dir) symbol_sub_dir = os.path.join(symbol_base_directory, version) if os.path.isdir(symbol_sub_dir): diff --git a/qtwebengine/src/3rdparty/chromium/third_party/highway/src/test.py b/qtwebengine/src/3rdparty/chromium/third_party/highway/src/test.py index f0e5da31acd..cd440e3c17e 100755 --- a/qtwebengine/src/3rdparty/chromium/third_party/highway/src/test.py +++ b/qtwebengine/src/3rdparty/chromium/third_party/highway/src/test.py @@ -79,7 +79,26 @@ def run_wasm_tests(work_dir, target, desired_config, config_name, options): with tempfile.TemporaryDirectory() as extract_dir: with tarfile.open(tar_pathname, mode="r:") as tar: - tar.extractall(extract_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, extract_dir) test_args = args + [os.path.join(extract_dir, test) + ".js"] run_subprocess(test_args, extract_dir) diff --git a/qtwebengine/src/3rdparty/chromium/third_party/vulkan-deps/vulkan-validation-layers/src/scripts/utils/utils.py b/qtwebengine/src/3rdparty/chromium/third_party/vulkan-deps/vulkan-validation-layers/src/scripts/utils/utils.py index 0bda644b74e..52acf67653d 100644 --- a/qtwebengine/src/3rdparty/chromium/third_party/vulkan-deps/vulkan-validation-layers/src/scripts/utils/utils.py +++ b/qtwebengine/src/3rdparty/chromium/third_party/vulkan-deps/vulkan-validation-layers/src/scripts/utils/utils.py @@ -72,7 +72,26 @@ def close(self): self.conn_.close() def expand_archive(path): if path.endswith('tar.gz') or path.endswith('tgz'): import tarfile - with tarfile.open(path, 'r:gz') as tar: tar.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar) elif path.endswith('.zip'): import zipfile with zipfile.ZipFile(path, 'r') as archive: archive.extractall('.') diff --git a/qtwebengine/src/3rdparty/chromium/tools/crates/lib/download.py b/qtwebengine/src/3rdparty/chromium/tools/crates/lib/download.py index 80be27c4197..5bd2aa11cfd 100644 --- a/qtwebengine/src/3rdparty/chromium/tools/crates/lib/download.py +++ b/qtwebengine/src/3rdparty/chromium/tools/crates/lib/download.py @@ -231,4 +231,23 @@ def _untar_crate(crate_name: str, version: str, crate_tarball: bytes): raise UntarAbsolutePathError(m.name) # Drop the first path component, which is the crate's name-version. m.name = re.sub("^.+?/", "", m.name) - contents.extractall(path=common.os_crate_cargo_dir(crate_name, version)) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(contents, path=common.os_crate_cargo_dir(crate_name,version))