39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
This patch was taken from upstream pywayland 0.4.15:
|
|
https://github.com/flacjacket/pywayland/pull/42
|
|
--- a/doc/protocol_build.py 2022-07-24 11:03:10.000000000 -0700
|
|
+++ b/doc/protocol_build.py 2022-12-20 20:00:48.659884422 -0800
|
|
@@ -14,6 +14,24 @@
|
|
)
|
|
)
|
|
|
|
+def _is_within_directory(directory, target):
|
|
+ """Helper to check for CVE-2007-4559"""
|
|
+ abs_directory = os.path.abspath(directory)
|
|
+ abs_target = os.path.abspath(target)
|
|
+
|
|
+ prefix = os.path.commonprefix([abs_directory, abs_target])
|
|
+
|
|
+ return prefix == abs_directory
|
|
+
|
|
+
|
|
+def _safe_extractall(tar, path=".", members=None, *, numeric_owner=False):
|
|
+ """Helper to check for CVE-2007-4559"""
|
|
+ for member in tar.getmembers():
|
|
+ member_path = os.path.join(path, member.name)
|
|
+ if not is_within_directory(path, member_path):
|
|
+ raise Exception("Attempted Path Traversal in Tar File")
|
|
+
|
|
+ tar.extractall(path, members, numeric_owner=numeric_owner)
|
|
|
|
def protocols_build(output_dir):
|
|
from pywayland.scanner import Protocol
|
|
@@ -26,7 +44,7 @@
|
|
protocol_dest = "wayland-protocols-{}".format(protocols_version)
|
|
urllib.request.urlretrieve(protocols_source, protocol_dest + ".tar.xz")
|
|
with tarfile.open(protocol_dest + ".tar.xz") as f:
|
|
- f.extractall()
|
|
+ _safe_extractall(f)
|
|
|
|
# walk the directory and generate all the protocols
|
|
protocol_files = [wayland_file] + sorted(
|