Donate CPU: Only extract relevant source files from archives #8716 (#1379)

Use python tarfile instead of tar to extract the packages.
Only extract source files of interest.
Skip dangerous files that could overwrite files outside the temp folder.
Fixes https://trac.cppcheck.net/ticket/8716
This commit is contained in:
Sebastian 2018-09-15 18:56:46 +02:00 committed by GitHub
parent e9a44f70b2
commit 996334eead
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 2 deletions

View File

@ -26,10 +26,11 @@ import sys
import socket import socket
import time import time
import re import re
import tarfile
def checkRequirements(): def checkRequirements():
result = True result = True
for app in ['g++', 'git', 'make', 'wget', 'tar']: for app in ['g++', 'git', 'make', 'wget']:
try: try:
subprocess.call([app, '--version']) subprocess.call([app, '--version'])
except OSError: except OSError:
@ -156,7 +157,16 @@ def unpackPackage(workPath, tgz):
removeTree(tempPath) removeTree(tempPath)
os.mkdir(tempPath) os.mkdir(tempPath)
os.chdir(tempPath) os.chdir(tempPath)
subprocess.call(['tar', 'xzvf', tgz]) if tarfile.is_tarfile(tgz):
tf = tarfile.open(tgz)
for member in tf:
if member.name.startswith(('/', '..')):
# Skip dangerous file names
continue
elif member.name.lower().endswith(('.c', '.cl', '.cpp', '.cxx', '.cc', '.c++', '.h', '.hpp', '.hxx', '.hh', '.tpp', '.txx')):
tf.extract(member.name)
print(member.name)
tf.close()
os.chdir(workPath) os.chdir(workPath)