diff options
| -rwxr-xr-x | bin/ansible-galaxy | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/bin/ansible-galaxy b/bin/ansible-galaxy index 946f7f429a..0d173321fc 100755 --- a/bin/ansible-galaxy +++ b/bin/ansible-galaxy @@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options): # verify the role's meta file meta_file = None members = role_tar_file.getmembers() + # next find the metadata file for member in members: if "/meta/main.yml" in member.name: meta_file = member @@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options): # now we do the actual extraction to the role_path for member in members: - # we only extract files + # we only extract files, and remove any relative path + # bits that might be in the file for security purposes + # and drop the leading directory, as mentioned above if member.isreg(): - member.name = "/".join(member.name.split("/")[1:]) + parts = member.name.split("/")[1:] + final_parts = [] + for part in parts: + if part != '..' and '~' not in part and '$' not in part: + final_parts.append(part) + member.name = os.path.join(*final_parts) role_tar_file.extract(member, role_path) # write out the install info file for later use |