diff options
author | James Cammarata <jimi@sngx.net> | 2014-08-05 13:29:43 -0500 |
---|---|---|
committer | James Cammarata <jimi@sngx.net> | 2014-08-06 13:25:29 -0500 |
commit | f8845af1951fb3745acddb0696fd988810719a0b (patch) | |
tree | 1494ed0fb79dce04bd328dbb77ff7712d1b01858 /bin/ansible-galaxy | |
parent | a45c3b84f33121c724264960b29f890c19ab90cc (diff) | |
download | ansible-f8845af1951fb3745acddb0696fd988810719a0b.tar.gz |
Add path checking for relative/escaped tar filenames in the ansible-galaxy command
Diffstat (limited to 'bin/ansible-galaxy')
-rwxr-xr-x | bin/ansible-galaxy | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/bin/ansible-galaxy b/bin/ansible-galaxy index 946f7f429a..0d173321fc 100755 --- a/bin/ansible-galaxy +++ b/bin/ansible-galaxy @@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options): # verify the role's meta file meta_file = None members = role_tar_file.getmembers() + # next find the metadata file for member in members: if "/meta/main.yml" in member.name: meta_file = member @@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options): # now we do the actual extraction to the role_path for member in members: - # we only extract files + # we only extract files, and remove any relative path + # bits that might be in the file for security purposes + # and drop the leading directory, as mentioned above if member.isreg(): - member.name = "/".join(member.name.split("/")[1:]) + parts = member.name.split("/")[1:] + final_parts = [] + for part in parts: + if part != '..' and '~' not in part and '$' not in part: + final_parts.append(part) + member.name = os.path.join(*final_parts) role_tar_file.extract(member, role_path) # write out the install info file for later use |