# HG changeset patch
# User iuc
# Date 1702892212 0
# Node ID c4dba88e85ef239a85a4343f1215d954410011b8
# Parent  cc18f0f3514c33ab16b468f6ae69abc710f26605
planemo upload for repository https://github.com/galaxyproject/tools-iuc/tree/master/data_managers/data_manager_qiime_database_downloader commit 09b56ef3e09ad6c5923c88616fea5cbd77d87616

diff -r cc18f0f3514c -r c4dba88e85ef data_manager/data_manager_qiime_download.py
--- a/data_manager/data_manager_qiime_download.py	Sun Nov 22 12:53:09 2020 +0000
+++ b/data_manager/data_manager_qiime_download.py	Mon Dec 18 09:36:52 2023 +0000
@@ -183,7 +183,20 @@
     archive_content_path = "tmp"
     if ext == "tar.gz" or ext == "tgz":
         with tarfile.open(filepath) as tar:
-            tar.extractall(path=archive_content_path)
+            def is_within_directory(directory, target):
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                return prefix == abs_directory
+
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+                tar.extractall(path, members, numeric_owner=numeric_owner)
+
+            safe_extract(tar, path=archive_content_path)
         archive_content_path = find_archive_content_path(archive_content_path)
     elif ext == "zip":
         with zipfile.ZipFile(filepath, 'r') as zip_ref:
diff -r cc18f0f3514c -r c4dba88e85ef data_manager/data_manager_qiime_download.xml
--- a/data_manager/data_manager_qiime_download.xml	Sun Nov 22 12:53:09 2020 +0000
+++ b/data_manager/data_manager_qiime_download.xml	Mon Dec 18 09:36:52 2023 +0000
@@ -1,4 +1,4 @@
-<tool id="data_manager_qiime_download" name="Download QIIME reference databases" version="1.9.1" tool_type="manage_data">
+<tool id="data_manager_qiime_download" name="Download QIIME reference databases" version="1.9.2" tool_type="manage_data">
     <description></description>
     <requirements>
         <requirement type="package" version="2.13.0">requests</requirement>
@@ -90,6 +90,5 @@
     ]]></help>
     <citations>
         <citation type="doi">10.1038/nmeth.f.303</citation>
-        <yield />
     </citations>
 </tool>
\ No newline at end of file