python/samba/tests/safe_tarfile.py

   1 # Unix SMB/CIFS implementation.
   2 # Copyright (C) Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 import tarfile
  17 from samba import safe_tarfile
  18
  19 import os
  20 from samba.tests import TestCaseInTempDir
  21
  22
  23 def filterer(prefix):
  24     def f(info):
  25         info.name = prefix + info.name
  26         return info
  27     return f
  28
  29
  30 class SafeTarFileTestCase(TestCaseInTempDir):
  31
  32     def test_dots(self):
  33         filename = os.path.join(self.tempdir, 'x')
  34         tarname = os.path.join(self.tempdir, 'tar.tar')
  35         f = open(filename, 'w')
  36         f.write('x')
  37         f.close()
  38
  39         tf = tarfile.open(tarname, 'w')
  40         tf.add(filename, filter=filterer('../../'))
  41         tf.close()
  42
  43         stf = safe_tarfile.open(tarname)
  44
  45         # If we have data_filter, we have a patched python to address
  46         # CVE-2007-4559.
  47         if hasattr(tarfile, "data_filter"):
  48             self.assertRaises(tarfile.OutsideDestinationError,
  49                               stf.extractall,
  50                               tarname)
  51         else:
  52             self.assertRaises(tarfile.ExtractError,
  53                               stf.extractall,
  54                               tarname)
  55         self.rm_files('x', 'tar.tar')
  56
  57     def test_slash(self):
  58         filename = os.path.join(self.tempdir, 'x')
  59         tarname = os.path.join(self.tempdir, 'tar.tar')
  60         f = open(filename, 'w')
  61         f.write('x')
  62         f.close()
  63
  64         tf = tarfile.open(tarname, 'w')
  65         tf.add(filename, filter=filterer('/'))
  66         tf.close()
  67
  68         stf = safe_tarfile.open(tarname)
  69
  70         # If we have data_filter, we have a patched python to address
  71         # CVE-2007-4559.
  72         if hasattr(tarfile, "data_filter"):
  73             self.assertRaises(NotADirectoryError,
  74                               stf.extractall,
  75                               tarname)
  76         else:
  77             self.assertRaises(tarfile.ExtractError,
  78                               stf.extractall,
  79                               tarname)
  80
  81         self.rm_files('x', 'tar.tar')