Browse code
Add path checking for relative/escaped tar filenames in the ansible-galaxy command
James Cammarata authored on 2014/08/06 03:29:43Showing 1 changed files
| ... | ... |
@@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options): |
| 445 | 445 |
# verify the role's meta file |
| 446 | 446 |
meta_file = None |
| 447 | 447 |
members = role_tar_file.getmembers() |
| 448 |
+ # next find the metadata file |
|
| 448 | 449 |
for member in members: |
| 449 | 450 |
if "/meta/main.yml" in member.name: |
| 450 | 451 |
meta_file = member |
| ... | ... |
@@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options): |
| 484 | 484 |
|
| 485 | 485 |
# now we do the actual extraction to the role_path |
| 486 | 486 |
for member in members: |
| 487 |
- # we only extract files |
|
| 487 |
+ # we only extract files, and remove any relative path |
|
| 488 |
+ # bits that might be in the file for security purposes |
|
| 489 |
+ # and drop the leading directory, as mentioned above |
|
| 488 | 490 |
if member.isreg(): |
| 489 |
- member.name = "/".join(member.name.split("/")[1:])
|
|
| 491 |
+ parts = member.name.split("/")[1:]
|
|
| 492 |
+ final_parts = [] |
|
| 493 |
+ for part in parts: |
|
| 494 |
+ if part != '..' and '~' not in part and '$' not in part: |
|
| 495 |
+ final_parts.append(part) |
|
| 496 |
+ member.name = os.path.join(*final_parts) |
|
| 490 | 497 |
role_tar_file.extract(member, role_path) |
| 491 | 498 |
|
| 492 | 499 |
# write out the install info file for later use |