From 05413afa8c18cdb978fcdf470e09f7a12b234a23 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 22 Jan 2021 12:23:18 +0100 Subject: Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews. Thanks Wang Baohua for the report. --- tests/utils_tests/test_archive.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'tests/utils_tests/test_archive.py') diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py index dc7c4b4ebd..8fdf3ec445 100644 --- a/tests/utils_tests/test_archive.py +++ b/tests/utils_tests/test_archive.py @@ -4,6 +4,8 @@ import sys import tempfile import unittest +from django.core.exceptions import SuspiciousOperation +from django.test import SimpleTestCase from django.utils import archive @@ -45,3 +47,22 @@ class TestArchive(unittest.TestCase): # A file is readable even if permission data is missing. filepath = os.path.join(tmpdir, 'no_permissions') self.assertEqual(os.stat(filepath).st_mode & mask, 0o666 & ~umask) + + +class TestArchiveInvalid(SimpleTestCase): + def test_extract_function_traversal(self): + archives_dir = os.path.join(os.path.dirname(__file__), 'traversal_archives') + tests = [ + ('traversal.tar', '..'), + ('traversal_absolute.tar', '/tmp/evil.py'), + ] + if sys.platform == 'win32': + tests += [ + ('traversal_disk_win.tar', 'd:evil.py'), + ('traversal_disk_win.zip', 'd:evil.py'), + ] + msg = "Archive contains invalid path: '%s'" + for entry, invalid_path in tests: + with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir: + with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path): + archive.extract(os.path.join(archives_dir, entry), tmpdir) -- cgit v1.3