| Previous changeset 2:19d9be08560c (2020-11-22) Next changeset 4:d9339bb8127e (2024-05-21) |
|
Commit message:
planemo upload for repository https://github.com/galaxyproject/tools-iuc/tree/master/data_managers/data_manager_mitos commit 096286097ed5cdf189a1b68c3fc34d10f4142e54 |
|
modified:
data_manager/data_manager.py data_manager_conf.xml |
| b |
| diff -r 19d9be08560c -r 14785f8a3725 data_manager/data_manager.py --- a/data_manager/data_manager.py Sun Nov 22 18:03:14 2020 +0000 +++ b/data_manager/data_manager.py Sun Apr 16 08:30:52 2023 +0000 |
| [ |
| @@ -54,7 +54,21 @@ src.close() with tarfile.open(tarfname, "r:bz2") as tar: dirname = tar.getnames()[0] - tar.extractall(workdir) + + def is_within_directory(directory, target): + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + prefix = os.path.commonprefix([abs_directory, abs_target]) + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + tar.extractall(path, members, numeric_owner=numeric_owner) + + safe_extract(tar, workdir) os.remove(tarfname) return dirname |
| b |
| diff -r 19d9be08560c -r 14785f8a3725 data_manager_conf.xml --- a/data_manager_conf.xml Sun Nov 22 18:03:14 2020 +0000 +++ b/data_manager_conf.xml Sun Apr 16 08:30:52 2023 +0000 |
| b |
| @@ -1,6 +1,6 @@ <?xml version="1.0"?> <data_managers> - <data_manager tool_file="data_manager/data_manager_mitos.xml" id="mitos_fetcher" version="0.0.1"> + <data_manager tool_file="data_manager/data_manager_mitos.xml" id="mitos_fetcher"> <data_table name="mitos"> <output> <column name="value" /> |