github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 06:14:12 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Prevent arbitrary file write when decompressing files (#18421)

Browse Source 
* SECURITY: Prevent arbitrary file write when decompressing files
* FIX: Allow decompressing files into symlinked directories

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
This commit is contained in:
Jarek Radosz
2022-09-29 20:00:38 +02:00
committed by GitHub
parent ae1e536e83
commit b27d5626d2
9 changed files with 175 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/compression/tar.rb
View File

@ -26,10 +26,12 @@ module Compression
yield(tar_extract)
end
def build_entry_path(_compressed_file, dest_path, compressed_file_path, entry, _allow_non_root_folder)
File.join(dest_path, entry.full_name).tap do |entry_path|
FileUtils.mkdir_p(File.dirname(entry_path))
end
def build_entry_path(dest_path, entry, _)
File.join(dest_path, entry.full_name)
end
def decompression_results_path(dest_path, _)
dest_path
end
end
end