Donate CPU: Only extract relevant source files from archives #8716 (#1379)

Use python tarfile instead of tar to extract the packages. Only extract source files of interest. Skip dangerous files that could overwrite files outside the temp folder. Fixes https://trac.cppcheck.net/ticket/8716
2018-09-15 18:56:46 +02:00 · 2018-09-15 18:56:46 +02:00 · 996334eead
parent e9a44f70b2
commit 996334eead
1 changed files with 12 additions and 2 deletions
--- a/tools/donate-cpu.py
+++ b/tools/donate-cpu.py
@ -26,10 +26,11 @@ import sys
 import socket
 import time
 import re
+import tarfile

 def checkRequirements():
    result = True
-    for app in ['g++', 'git', 'make', 'wget', 'tar']:
+    for app in ['g++', 'git', 'make', 'wget']:
        try:
            subprocess.call([app, '--version'])
        except OSError:
@ -156,7 +157,16 @@ def unpackPackage(workPath, tgz):
    removeTree(tempPath)
    os.mkdir(tempPath)
    os.chdir(tempPath)
-    subprocess.call(['tar', 'xzvf', tgz])
+    if tarfile.is_tarfile(tgz):
+        tf = tarfile.open(tgz)
+        for member in tf:
+            if member.name.startswith(('/', '..')):
+                # Skip dangerous file names
+                continue
+            elif member.name.lower().endswith(('.c', '.cl', '.cpp', '.cxx', '.cc', '.c++', '.h', '.hpp', '.hxx', '.hh', '.tpp', '.txx')):
+                tf.extract(member.name)
+                print(member.name)
+        tf.close()
    os.chdir(workPath)