From f8845af1951fb3745acddb0696fd988810719a0b Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Tue, 5 Aug 2014 13:29:43 -0500 Subject: [PATCH] Add path checking for relative/escaped tar filenames in the ansible-galaxy command --- bin/ansible-galaxy | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/bin/ansible-galaxy b/bin/ansible-galaxy index 946f7f429a7..0d173321fc9 100755 --- a/bin/ansible-galaxy +++ b/bin/ansible-galaxy @@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options): # verify the role's meta file meta_file = None members = role_tar_file.getmembers() + # next find the metadata file for member in members: if "/meta/main.yml" in member.name: meta_file = member @@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options): # now we do the actual extraction to the role_path for member in members: - # we only extract files + # we only extract files, and remove any relative path + # bits that might be in the file for security purposes + # and drop the leading directory, as mentioned above if member.isreg(): - member.name = "/".join(member.name.split("/")[1:]) + parts = member.name.split("/")[1:] + final_parts = [] + for part in parts: + if part != '..' and '~' not in part and '$' not in part: + final_parts.append(part) + member.name = os.path.join(*final_parts) role_tar_file.extract(member, role_path) # write out the install info file for later use