Use python tarfile instead of tar to extract the packages. Only extract source files of interest. Skip dangerous files that could overwrite files outside the temp folder. Fixes https://trac.cppcheck.net/ticket/8716
This commit is contained in:
parent
e9a44f70b2
commit
996334eead
|
@ -26,10 +26,11 @@ import sys
|
||||||
import socket
|
import socket
|
||||||
import time
|
import time
|
||||||
import re
|
import re
|
||||||
|
import tarfile
|
||||||
|
|
||||||
def checkRequirements():
|
def checkRequirements():
|
||||||
result = True
|
result = True
|
||||||
for app in ['g++', 'git', 'make', 'wget', 'tar']:
|
for app in ['g++', 'git', 'make', 'wget']:
|
||||||
try:
|
try:
|
||||||
subprocess.call([app, '--version'])
|
subprocess.call([app, '--version'])
|
||||||
except OSError:
|
except OSError:
|
||||||
|
@ -156,7 +157,16 @@ def unpackPackage(workPath, tgz):
|
||||||
removeTree(tempPath)
|
removeTree(tempPath)
|
||||||
os.mkdir(tempPath)
|
os.mkdir(tempPath)
|
||||||
os.chdir(tempPath)
|
os.chdir(tempPath)
|
||||||
subprocess.call(['tar', 'xzvf', tgz])
|
if tarfile.is_tarfile(tgz):
|
||||||
|
tf = tarfile.open(tgz)
|
||||||
|
for member in tf:
|
||||||
|
if member.name.startswith(('/', '..')):
|
||||||
|
# Skip dangerous file names
|
||||||
|
continue
|
||||||
|
elif member.name.lower().endswith(('.c', '.cl', '.cpp', '.cxx', '.cc', '.c++', '.h', '.hpp', '.hxx', '.hh', '.tpp', '.txx')):
|
||||||
|
tf.extract(member.name)
|
||||||
|
print(member.name)
|
||||||
|
tf.close()
|
||||||
os.chdir(workPath)
|
os.chdir(workPath)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue