Skip to content

Commit

Permalink
Fix tarfile security issue
Browse files Browse the repository at this point in the history
  • Loading branch information
Gustry committed Aug 8, 2024
1 parent 5fe6b6c commit be6cabc
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 4 deletions.
4 changes: 1 addition & 3 deletions .docker/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
version: '3.9'

networks:
qgis_plugin_network:

Expand Down Expand Up @@ -28,7 +26,7 @@ services:
qgis:
profiles:
- "qgis"
image: qgis/qgis:release-3_22
image: qgis/qgis:release-3_34
container_name: qgis
networks:
qgis_plugin_network:
Expand Down
22 changes: 21 additions & 1 deletion cadastre/cadastre_import.py
Original file line number Diff line number Diff line change
Expand Up @@ -1009,7 +1009,27 @@ def unzipFolderContent(self, path):
for z in tarFileListA:
with tarfile.open(z) as t:
try:
t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i))
# See https://docs.python.org/3.10/library/tarfile.html#tarfile.TarFile.extractall
# See https://peps.python.org/pep-0706/
arguments = {
'filter': 'data'
}
if (3, 8, 0) <= sys.version_info < (3, 8, 17) \
or (3, 9, 0) <= sys.version_info < (3, 9, 17) \
or (3, 10, 0) <= sys.version_info < (3, 10, 12):
# noinspection PyTypeChecker
QgsMessageLog.logMessage(
"Version de Python obsolète, veuillez monter votre version de QGIS afin "
"de passer à une version plus récente",
'cadastre',
Qgis.Warning
)
arguments.pop('filter')

t.extractall(
os.path.join(self.edigeoPlainDir, 'tar_%s' % i),
**arguments,
)
except tarfile.ReadError:
# Issue GitHub #339
self.go = False
Expand Down

0 comments on commit be6cabc

Please sign in to comment.