Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
镜像
Python_Packaging_Authority
pip
提交
8c94b703
P
pip
项目概览
镜像
/
Python_Packaging_Authority
/
pip
12 个月 前同步成功
通知
0
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
P
pip
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
8c94b703
编写于
9月 24, 2019
作者:
C
Chris Hunt
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Address review comments
上级
08a0eeb9
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
31 addition
and
30 deletion
+31
-30
news/3907.bugfix
news/3907.bugfix
+2
-1
src/pip/_internal/utils/unpacking.py
src/pip/_internal/utils/unpacking.py
+9
-7
tests/unit/test_utils_unpacking.py
tests/unit/test_utils_unpacking.py
+20
-22
未找到文件。
news/3907.bugfix
浏览文件 @
8c94b703
Abort the installation process and raise an exception if one of the tar/zip file will be placed outside of target location causing security issue.
\ No newline at end of file
Abort installation if any archive contains a file which would be placed
outside the extraction location.
src/pip/_internal/utils/unpacking.py
浏览文件 @
8c94b703
...
...
@@ -120,11 +120,11 @@ def unzip_file(filename, location, flatten=True):
fn
=
os
.
path
.
join
(
location
,
fn
)
dir
=
os
.
path
.
dirname
(
fn
)
if
not
is_within_directory
(
location
,
fn
):
raise
InstallationError
(
'The zip file (%s) has a file (%s) trying to install '
'outside target directory (%s)'
%
(
filename
,
fn
,
location
)
message
=
(
'The zip file ({}) has a file ({}) trying to install '
'outside target directory ({})'
)
raise
InstallationError
(
message
.
format
(
filename
,
fn
,
location
))
if
fn
.
endswith
(
'/'
)
or
fn
.
endswith
(
'
\\
'
):
# A directory
ensure_dir
(
fn
)
...
...
@@ -185,10 +185,12 @@ def untar_file(filename, location):
fn
=
split_leading_dir
(
fn
)[
1
]
# type: ignore
path
=
os
.
path
.
join
(
location
,
fn
)
if
not
is_within_directory
(
location
,
path
):
message
=
(
'The tar file ({}) has a file ({}) trying to install '
'outside target directory ({})'
)
raise
InstallationError
(
'The tar file (%s) has a file (%s) trying to install '
'outside target directory (%s)'
%
(
filename
,
path
,
location
)
message
.
format
(
filename
,
path
,
location
)
)
if
member
.
isdir
():
ensure_dir
(
path
)
...
...
tests/unit/test_utils_unpacking.py
浏览文件 @
8c94b703
...
...
@@ -126,13 +126,11 @@ class TestUnpackArchives(object):
Test unpacking a *.zip with file containing .. path
and expect exception
"""
test_zip
=
self
.
make_zip_file
(
'test_zip.zip'
,
[
'regular_file.txt'
,
os
.
path
.
join
(
'..'
,
'outside_file.txt'
)])
with
pytest
.
raises
(
InstallationError
,
match
=
r
'.*trying to install outside target directory.*'
):
files
=
[
'regular_file.txt'
,
os
.
path
.
join
(
'..'
,
'outside_file.txt'
)]
test_zip
=
self
.
make_zip_file
(
'test_zip.zip'
,
files
)
with
pytest
.
raises
(
InstallationError
)
as
e
:
unzip_file
(
test_zip
,
self
.
tempdir
)
assert
'trying to install outside target directory'
in
str
(
e
.
value
)
def
test_unpack_zip_success
(
self
):
"""
...
...
@@ -140,11 +138,12 @@ class TestUnpackArchives(object):
no file will be installed outside target directory after unpack
so no exception raised
"""
test_zip
=
self
.
make_zip_file
(
'test_zip.zip'
,
[
'regular_file1.txt'
,
os
.
path
.
join
(
'dir'
,
'dir_file1.txt'
),
os
.
path
.
join
(
'dir'
,
'..'
,
'dir_file2.txt'
)])
files
=
[
'regular_file1.txt'
,
os
.
path
.
join
(
'dir'
,
'dir_file1.txt'
),
os
.
path
.
join
(
'dir'
,
'..'
,
'dir_file2.txt'
),
]
test_zip
=
self
.
make_zip_file
(
'test_zip.zip'
,
files
)
unzip_file
(
test_zip
,
self
.
tempdir
)
def
test_unpack_tar_failure
(
self
):
...
...
@@ -152,13 +151,11 @@ class TestUnpackArchives(object):
Test unpacking a *.tar with file containing .. path
and expect exception
"""
test_tar
=
self
.
make_tar_file
(
'test_tar.tar'
,
[
'regular_file.txt'
,
os
.
path
.
join
(
'..'
,
'outside_file.txt'
)])
with
pytest
.
raises
(
InstallationError
,
match
=
r
'.*trying to install outside target directory.*'
):
files
=
[
'regular_file.txt'
,
os
.
path
.
join
(
'..'
,
'outside_file.txt'
)]
test_tar
=
self
.
make_tar_file
(
'test_tar.tar'
,
files
)
with
pytest
.
raises
(
InstallationError
)
as
e
:
untar_file
(
test_tar
,
self
.
tempdir
)
assert
'trying to install outside target directory'
in
str
(
e
.
value
)
def
test_unpack_tar_success
(
self
):
"""
...
...
@@ -166,11 +163,12 @@ class TestUnpackArchives(object):
no file will be installed outside target directory after unpack
so no exception raised
"""
test_tar
=
self
.
make_tar_file
(
'test_tar.tar'
,
[
'regular_file1.txt'
,
os
.
path
.
join
(
'dir'
,
'dir_file1.txt'
),
os
.
path
.
join
(
'dir'
,
'..'
,
'dir_file2.txt'
)])
files
=
[
'regular_file1.txt'
,
os
.
path
.
join
(
'dir'
,
'dir_file1.txt'
),
os
.
path
.
join
(
'dir'
,
'..'
,
'dir_file2.txt'
),
]
test_tar
=
self
.
make_tar_file
(
'test_tar.tar'
,
files
)
untar_file
(
test_tar
,
self
.
tempdir
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录