Commit ad2d853
authored
Fix symlink-following arbitrary file write in archive extraction (#8303)
Extractor.extract() called shutil.rmtree(output_path, ignore_errors=True)
before extracting. Since Python 3.8, shutil.rmtree() raises OSError on a
symlink pointing to a directory, which ignore_errors=True silently swallows.
An attacker with write access to a shared cache directory could pre-plant a
symlink at the predictable extraction output path; rmtree would no-op on it,
and extraction would then follow the symlink and write archive contents into
the attacker-chosen target, yielding arbitrary file write as the victim.
The existing safemembers() zip-slip mitigation only validates member names
and is blind to the output directory itself being a symlink.
Remove the symlink itself before extracting so contents can no longer be
written through it.1 parent 69939eb commit ad2d853
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
439 | 439 | | |
440 | 440 | | |
441 | 441 | | |
| 442 | + | |
| 443 | + | |
442 | 444 | | |
443 | 445 | | |
444 | 446 | | |
0 commit comments