Skip to content

Backport initial tarfile sanitization

Paweł Wieczorek requested to merge wip/pawiecz/backport-initial-tarfile-sanitization into collabora/staging

This patch replaces upstream fix for potential path traversal when extracting tar file [1] with initial patch provided by the reporters [2].

Upstream fix uses pathlib.Path.is_relative_to() which has been added in Python 3.9 [3] and is not available on dispatchers running Debian Buster.

[1] https://git.lavasoftware.org/lava/lava/-/merge_requests/1927 [2] https://github.com/Linaro/lava/pull/3 [3] https://github.com/python/cpython/pull/14982

Signed-off-by: Paweł Wieczorek pawiecz@collabora.com

Merge request reports