telpho10_credential_dump: Prevent traversal in untar #14034
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use
File.basename
for tar file contents to prevent relative path traversal inuntar
method intelpho10_credential_dump
.Potentially resolves #14015
I have no idea if this is suitable as I'm uncertain as to the expected structure of the tar file contents. However, the module appears to expect the contents to exist within the root of the tar file.
Nonetheless, this patch prevents the path traversal.
There may still be some issues with symlinks, especially as the tar file contents are decompressed then immediately modified with
File.chmod(entry.header.mode, dest)
.