From 996334eead8088e824e41430a0a179902d16679f Mon Sep 17 00:00:00 2001 From: Sebastian Date: Sat, 15 Sep 2018 18:56:46 +0200 Subject: [PATCH] Donate CPU: Only extract relevant source files from archives #8716 (#1379) Use python tarfile instead of tar to extract the packages. Only extract source files of interest. Skip dangerous files that could overwrite files outside the temp folder. Fixes https://trac.cppcheck.net/ticket/8716 --- tools/donate-cpu.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/donate-cpu.py b/tools/donate-cpu.py index 5c513c9d4..aaed694ef 100644 --- a/tools/donate-cpu.py +++ b/tools/donate-cpu.py @@ -26,10 +26,11 @@ import sys import socket import time import re +import tarfile def checkRequirements(): result = True - for app in ['g++', 'git', 'make', 'wget', 'tar']: + for app in ['g++', 'git', 'make', 'wget']: try: subprocess.call([app, '--version']) except OSError: @@ -156,7 +157,16 @@ def unpackPackage(workPath, tgz): removeTree(tempPath) os.mkdir(tempPath) os.chdir(tempPath) - subprocess.call(['tar', 'xzvf', tgz]) + if tarfile.is_tarfile(tgz): + tf = tarfile.open(tgz) + for member in tf: + if member.name.startswith(('/', '..')): + # Skip dangerous file names + continue + elif member.name.lower().endswith(('.c', '.cl', '.cpp', '.cxx', '.cc', '.c++', '.h', '.hpp', '.hxx', '.hh', '.tpp', '.txx')): + tf.extract(member.name) + print(member.name) + tf.close() os.chdir(workPath)