Headline
CVE-2022-35410: Prevent arbitrary file read via zip archives (beebca4b) · Commits · jvoisin / mat2 · GitLab
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows …/ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.
Commit beebca4b authored Jul 05, 2022 by
Browse files
Prevent arbitrary file read via zip archives
A zip file with a file pointing to /etc/passwd would, upon being cleaned by mat2, produce a file with the filesystem’s /etc/passwd file.
Pipeline #96635 passed with stages
in 2 minutes and 13 seconds
- Changes 1
- Pipelines 1
…
…
@@ -190,8 +190,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
if member_name[-1] == '/’: # `is_dir` is added in Python3.6
continue # don’t keep empty folders
zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name)
if not os.path.abspath(full_path).startswith(temp_folder):
logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
self.filename, member_name, full_path)
abort = True
break
zin.extract(member=item, path=temp_folder)
try:
original_permissions = os.stat(full_path).st_mode
…
…
mentioned in issue #174 (closed)
mentioned in issue #174
Related news
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.