From b3d7b075038dfd9770df27421051875350754d2c Mon Sep 17 00:00:00 2001 From: Tom Anderson Date: Wed, 13 Mar 2024 19:32:47 +0000 Subject: [PATCH] Allow valid links in extracted tar archives The check is intended to ensure paths don't traverse outside the extracted directory. However, the check was too strict: it banned all links, even relative links that still point inside the target directory. This CL relaxes the requirement to allow valid links. This is required to allow library symlinks for the instrumented libraries. Examples: libpcre.so -> libpcre.so.3.13.3 libpcre.so.3 -> libpcre.so.3.13.3 libpixman-1.so -> libpixman-1.so.0.38.4 libpixman-1.so.0 -> libpixman-1.so.0.38.4 libpng16.so -> libpng16.so.16.37.0 libpng16.so.16 -> libpng16.so.16.37.0 Bug: 320564950 Change-Id: I2aae18b86b1f1cc3d73a1b80c06d757af782f700 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5369132 Reviewed-by: Joanna Wang Auto-Submit: Thomas Anderson Commit-Queue: Joanna Wang --- download_from_google_storage.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/download_from_google_storage.py b/download_from_google_storage.py index 950a23999..e7f99f70a 100755 --- a/download_from_google_storage.py +++ b/download_from_google_storage.py @@ -225,7 +225,14 @@ def _validate_tar_file(tar, prefix): def _validate(tarinfo): """Returns false if the tarinfo is something we explicitly forbid.""" if tarinfo.issym() or tarinfo.islnk(): - return False + # For links, check if the destination is valid. + if os.path.isabs(tarinfo.linkname): + return False + link_target = os.path.normpath( + os.path.join(os.path.dirname(tarinfo.name), tarinfo.linkname)) + if not link_target.startswith(prefix): + return False + if ('../' in tarinfo.name or '..\\' in tarinfo.name or not tarinfo.name.startswith(prefix)): return False