From be6cabcb5c31a44f8d2768385bb38c541ede18c3 Mon Sep 17 00:00:00 2001 From: Etienne Trimaille Date: Wed, 7 Aug 2024 15:02:18 +0200 Subject: [PATCH] Fix tarfile security issue --- .docker/docker-compose.yml | 4 +--- cadastre/cadastre_import.py | 22 +++++++++++++++++++++- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml index 0c556ab9..abe92c19 100644 --- a/.docker/docker-compose.yml +++ b/.docker/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.9' - networks: qgis_plugin_network: @@ -28,7 +26,7 @@ services: qgis: profiles: - "qgis" - image: qgis/qgis:release-3_22 + image: qgis/qgis:release-3_34 container_name: qgis networks: qgis_plugin_network: diff --git a/cadastre/cadastre_import.py b/cadastre/cadastre_import.py index f2b8500b..9976a7e6 100644 --- a/cadastre/cadastre_import.py +++ b/cadastre/cadastre_import.py @@ -1009,7 +1009,27 @@ def unzipFolderContent(self, path): for z in tarFileListA: with tarfile.open(z) as t: try: - t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i)) + # See https://docs.python.org/3.10/library/tarfile.html#tarfile.TarFile.extractall + # See https://peps.python.org/pep-0706/ + arguments = { + 'filter': 'data' + } + if (3, 8, 0) <= sys.version_info < (3, 8, 17) \ + or (3, 9, 0) <= sys.version_info < (3, 9, 17) \ + or (3, 10, 0) <= sys.version_info < (3, 10, 12): + # noinspection PyTypeChecker + QgsMessageLog.logMessage( + "Version de Python obsolète, veuillez monter votre version de QGIS afin " + "de passer à une version plus récente", + 'cadastre', + Qgis.Warning + ) + arguments.pop('filter') + + t.extractall( + os.path.join(self.edigeoPlainDir, 'tar_%s' % i), + **arguments, + ) except tarfile.ReadError: # Issue GitHub #339 self.go = False