chunzhi/chatgpt_academic
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

scan first, then extract

Browse Source
This commit is contained in:
binary-husky 2024-04-14 21:36:57 +08:00
parent f77ab27bc9
commit eff5b89b98
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
shared_utils/handle_upload.py
View File

@ -104,15 +104,15 @@ def extract_archive(file_path, dest_dir):
elif file_extension in [".tar", ".gz", ".bz2"]: elif file_extension in [".tar", ".gz", ".bz2"]:
with tarfile.open(file_path, "r:*") as tarobj: with tarfile.open(file_path, "r:*") as tarobj:
for member in tarobj.getmembers():
# 清理提取路径,移除任何不安全的元素 # 清理提取路径,移除任何不安全的元素
for member in tarobj.getmembers():
member_path = os.path.normpath(member.name) member_path = os.path.normpath(member.name)
full_path = os.path.join(dest_dir, member_path) full_path = os.path.join(dest_dir, member_path)
full_path = os.path.abspath(full_path) full_path = os.path.abspath(full_path)
if not full_path.startswith(os.path.abspath(dest_dir) + os.sep): if not full_path.startswith(os.path.abspath(dest_dir) + os.sep):
raise Exception(f"Attempted Path Traversal in {member.name}") raise Exception(f"Attempted Path Traversal in {member.name}")
tarobj.extract(member, path=dest_dir) tarobj.extractall(path=dest_dir)
print("Successfully extracted tar archive to {}".format(dest_dir)) print("Successfully extracted tar archive to {}".format(dest_dir))
# 第三方库需要预先pip install rarfile # 第三方库需要预先pip install rarfile