int/gpt_academic
1
0
派生 0
镜像自地址 https://github.com/binary-husky/gpt_academic.git 已同步 2025-12-06 06:26:47 +00:00
代码 工单 软件包 项目 版本发布 百科 动态

Merge pull request from GHSA-rh7j-jfvq-857j

浏览代码 
Prevent path traversal for improved security
这个提交包含在:
iluem
2024-04-14 21:33:37 +08:00
提交者 GitHub
父节点 ba0a8b7072
当前提交 f77ab27bc9
共有 1 个文件被更改,包括 9 次插入1 次删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

10
shared_utils/handle_upload.py
查看文件

@@ -104,7 +104,15 @@ def extract_archive(file_path, dest_dir):
elif file_extension in [".tar", ".gz", ".bz2"]: elif file_extension in [".tar", ".gz", ".bz2"]:
with tarfile.open(file_path, "r:*") as tarobj: with tarfile.open(file_path, "r:*") as tarobj:
tarobj.extractall(path=dest_dir) for member in tarobj.getmembers():
# 清理提取路径,移除任何不安全的元素
member_path = os.path.normpath(member.name)
full_path = os.path.join(dest_dir, member_path)
full_path = os.path.abspath(full_path)
if not full_path.startswith(os.path.abspath(dest_dir) + os.sep):
raise Exception(f"Attempted Path Traversal in {member.name}")
tarobj.extract(member, path=dest_dir)
print("Successfully extracted tar archive to {}".format(dest_dir)) print("Successfully extracted tar archive to {}".format(dest_dir))
# 第三方库,需要预先pip install rarfile # 第三方库,需要预先pip install rarfile