[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

process-deb-once-with-python review



On IRC, Neils asked to me review the Python part of this:
http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=shortlog;h=refs/heads/process-deb-once-with-python

TL;DR: I don't think extract_tar() is secure.

           target = os.path.normpath(os.path.join(output_dir, member.name))
           if (not target.startswith(output_dir_stem)
               and target != output_dir):
               raise ValueError("%s escapes unpack-root" % member.name)

os.path.normpath() doesn't access filesystem, so it won't protect you from escaping unpack-root via a symlink.

           elif member.issym():
               mtype = 'l'
               linkinfo = ' -> ' + member.linkname
           elif member.islnk():
               mtype = 'h'
               linkinfo = ' link to ' + member.linkname

What if linkname contains a newline, or another special character? Shouldn't it be escaped somehow?

           line = '%s0%o %d:%d:%s:%s %d %s _ %s%s\n' % (
               mtype, member.mode, uid, gid,
               owner, group, member.size,
               mdate.strftime('%Y-%m-%d'), name, linkinfo
           )

Same problem with escaping here.

           member.mode |= 0200

We should also make sure that the permissions won't be excessive (honoured umask, no setuid, no setgid etc.) and that the file will be owned by the user who runs the code.

           tf.extract(member, path=output_dir)

The extract() method is unfortunately quite dumb. :-( It will happily write over existing symlink, or write to an existing FIFO, or...

--
Jakub Wilk


Reply to: