rpms
/
python-zipp
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6c38b4975a'
${ noResults }
python-zipp/CVE-2024-5569_EPEL8.patch

105 lines
3.4 KiB
Raw Blame History

diff -ur zipp-0.5.1.orig/test_zipp.py zipp-0.5.1/test_zipp.py
--- zipp-0.5.1.orig/test_zipp.py 2019-05-17 01:34:53.000000000 +1000
+++ zipp-0.5.1/test_zipp.py 2024-09-22 18:45:15.000000000 +1000
@@ -170,3 +170,20 @@
root = zipp.Path(zipfile_abcde)
assert (root / 'a').parent.at == ''
assert (root / 'a' / 'b').parent.at == 'a/'
+
+ def test_malformed_paths(self):
+ """
+ Path should handle malformed paths.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("/one-slash.txt", b"content")
+ zf.writestr("//two-slash.txt", b"content")
+ zf.writestr("../parent.txt", b"content")
+ zf.filename = ''
+ root = zipp.Path(zf)
+ assert list(map(str, root.iterdir())) == [
+ 'one-slash.txt',
+ 'two-slash.txt',
+ 'parent.txt',
+ ]
diff -ur zipp-0.5.1.orig/zipp.py zipp-0.5.1/zipp.py
--- zipp-0.5.1.orig/zipp.py 2019-05-17 01:34:53.000000000 +1000
+++ zipp-0.5.1/zipp.py 2024-09-22 16:33:44.000000000 +1000
@@ -7,10 +7,67 @@
import posixpath
import zipfile
import functools
+import re
__metaclass__ = type
+class SanitizedNames:
+ """
+ ZipFile mix-in to ensure names are sanitized.
+ """
+
+ def namelist(self):
+ return list(map(self._sanitize, super().namelist()))
+
+ @staticmethod
+ def _sanitize(name):
+ r"""
+ Ensure a relative path with posix separators and no dot names.
+ Modeled after
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+ but provides consistent cross-platform behavior.
+ >>> san = SanitizedNames._sanitize
+ >>> san('/foo/bar')
+ 'foo/bar'
+ >>> san('//foo.txt')
+ 'foo.txt'
+ >>> san('foo/.././bar.txt')
+ 'foo/bar.txt'
+ >>> san('foo../.bar.txt')
+ 'foo../.bar.txt'
+ >>> san('\\foo\\bar.txt')
+ 'foo/bar.txt'
+ >>> san('D:\\foo.txt')
+ 'D/foo.txt'
+ >>> san('\\\\server\\share\\file.txt')
+ 'server/share/file.txt'
+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
+ '?/GLOBALROOT/Volume3'
+ >>> san('\\\\.\\PhysicalDrive1\\root')
+ 'PhysicalDrive1/root'
+ Retain any trailing slash.
+ >>> san('abc/')
+ 'abc/'
+ Raises a ValueError if the result is empty.
+ >>> san('../..')
+ Traceback (most recent call last):
+ ...
+ ValueError: Empty filename
+ """
+
+ def allowed(part):
+ return part and part not in {'..', '.'}
+ # Remove the drive letter.
+ # Don't use ntpath.splitdrive, because that also strips UNC paths
+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
+ clean = bare.replace('\\', '/')
+ parts = clean.split('/')
+ joined = '/'.join(filter(allowed, parts))
+ if not joined:
+ raise ValueError("Empty filename")
+ return joined + '/' * name.endswith('/')
+
class Path:
"""
A pathlib-compatible interface for zip files.
@@ -165,7 +222,7 @@
return self._next(parent_at)
def _names(self):
- return self._add_implied_dirs(self.root.namelist())
+ return self._add_implied_dirs(list(map(SanitizedNames._sanitize, self.root.namelist())))
if sys.version_info < (3,):
__div__ = __truediv__
Reference in new issue View Git Blame Copy Permalink