...
|
...
|
@@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
|
445
|
445
|
# verify the role's meta file
|
446
|
446
|
meta_file = None
|
447
|
447
|
members = role_tar_file.getmembers()
|
|
448
|
+ # next find the metadata file
|
448
|
449
|
for member in members:
|
449
|
450
|
if "/meta/main.yml" in member.name:
|
450
|
451
|
meta_file = member
|
...
|
...
|
@@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):
|
484
|
484
|
|
485
|
485
|
# now we do the actual extraction to the role_path
|
486
|
486
|
for member in members:
|
487
|
|
- # we only extract files
|
|
487
|
+ # we only extract files, and remove any relative path
|
|
488
|
+ # bits that might be in the file for security purposes
|
|
489
|
+ # and drop the leading directory, as mentioned above
|
488
|
490
|
if member.isreg():
|
489
|
|
- member.name = "/".join(member.name.split("/")[1:])
|
|
491
|
+ parts = member.name.split("/")[1:]
|
|
492
|
+ final_parts = []
|
|
493
|
+ for part in parts:
|
|
494
|
+ if part != '..' and '~' not in part and '$' not in part:
|
|
495
|
+ final_parts.append(part)
|
|
496
|
+ member.name = os.path.join(*final_parts)
|
490
|
497
|
role_tar_file.extract(member, role_path)
|
491
|
498
|
|
492
|
499
|
# write out the install info file for later use
|