CVE fix for 'safe extract' tar is covered by filter

rocky-linux · Aug 14, 2024 · e2ae0f8 · e2ae0f8
1 parent 8ce5f69
commit e2ae0f8
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/iso/empanadas/empanadas/util/shared.py b/iso/empanadas/empanadas/util/shared.py
@@ -1214,6 +1214,8 @@ def deploy_extra_files(extra_files, sync_root, global_work_root, logger):
     def tar_is_within_directory(directory, target):
         """
         CVE-2007-4559
+
+        Function is obsolete. Will be removed in a future version.
         """
         abs_directory = os.path.abspath(directory)
         abs_target = os.path.abspath(target)
@@ -1223,19 +1225,14 @@ def tar_is_within_directory(directory, target):
     @staticmethod
     def tar_safe_extractall(tar,
             path=".",
-            members=None,
             *,
             numeric_owner=False
         ):
         """
-        CVE-2007-4559
+        CVE-2007-4559 is addressed by setting filter='tar'. This function will
+        remain here to reduce changes to utilities.
         """
-        for member in tar.getmembers():
-            member_path = os.path.join(path, member.name)
-            if not Shared.tar_is_within_directory(path, member_path):
-                raise Exception("Path traversal attempted in tar file")
-
-        tar.extractall(path=path, members=members, numeric_owner=numeric_owner)
+        tar.extractall(path=path, numeric_owner=numeric_owner, filter='tar')
 
     @staticmethod
     def dnf_sync(repo, sync_root, work_root, arch, logger):