Allow valid links in extracted tar archives

The check is intended to ensure paths don't traverse outside the extracted directory. However, the check was too strict: it banned all links, even relative links that still point inside the target directory. This CL relaxes the requirement to allow valid links. This is required to allow library symlinks for the instrumented libraries. Examples: libpcre.so -> libpcre.so.3.13.3 libpcre.so.3 -> libpcre.so.3.13.3 libpixman-1.so -> libpixman-1.so.0.38.4 libpixman-1.so.0 -> libpixman-1.so.0.38.4 libpng16.so -> libpng16.so.16.37.0 libpng16.so.16 -> libpng16.so.16.37.0 Bug: 320564950 Change-Id: I2aae18b86b1f1cc3d73a1b80c06d757af782f700 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5369132 Reviewed-by: Joanna Wang <jojwang@chromium.org> Auto-Submit: Thomas Anderson <thomasanderson@chromium.org> Commit-Queue: Joanna Wang <jojwang@chromium.org>
2026-01-11 10:41:31 +00:00 · 2024-03-13 19:32:47 +00:00
parent fe6a359a80
commit b3d7b07503
1 changed files with 8 additions and 1 deletions
--- a/download_from_google_storage.py
+++ b/download_from_google_storage.py
@@ -225,7 +225,14 @@ def _validate_tar_file(tar, prefix):
    def _validate(tarinfo):
        """Returns false if the tarinfo is something we explicitly forbid."""
        if tarinfo.issym() or tarinfo.islnk():
-            return False
+            # For links, check if the destination is valid.
+            if os.path.isabs(tarinfo.linkname):
+                return False
+            link_target = os.path.normpath(
+                os.path.join(os.path.dirname(tarinfo.name), tarinfo.linkname))
+            if not link_target.startswith(prefix):
+                return False
+
        if ('../' in tarinfo.name or '..\\' in tarinfo.name
                or not tarinfo.name.startswith(prefix)):
            return False