discourse/lib/compression/tar.rb
Jarek Radosz 4302097b3b
SECURITY: Prevent arbitrary file write when decompressing files (stable) (#18423)
* SECURITY: Prevent arbitrary file write when decompressing files
* FIX: Allow decompressing files into symlinked directories

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2022-09-29 20:07:58 +02:00

38 lines
913 B
Ruby

# frozen_string_literal: true
require 'rubygems/package'
module Compression
class Tar < Strategy
def extension
'.tar'
end
def compress(path, target_name)
tar_filename = sanitize_filename("#{target_name}.tar")
Discourse::Utils.execute_command('tar', '--create', '--file', tar_filename, target_name, failure_message: "Failed to tar file.")
sanitize_path("#{path}/#{tar_filename}")
end
private
def extract_folder(_entry, _entry_path); end
def get_compressed_file_stream(compressed_file_path)
file_stream = IO.new(IO.sysopen(compressed_file_path))
tar_extract = Gem::Package::TarReader.new(file_stream)
tar_extract.rewind
yield(tar_extract)
end
def build_entry_path(dest_path, entry, _)
File.join(dest_path, entry.full_name)
end
def decompression_results_path(dest_path, _)
dest_path
end
end
end