avoid mknod by ignoring char/block devices

author Paymon MARANDI <Paymon MARANDI darwinskernel@gmail.com>

Sun, 5 Mar 2023 14:26:07 +0000 (09:26 -0500)

committer Paymon MARANDI <darwinskernel@gmail.com>

Sun, 12 Mar 2023 16:24:01 +0000 (12:24 -0400)
author Paymon MARANDI <Paymon MARANDI darwinskernel@gmail.com>
Sun, 5 Mar 2023 14:26:07 +0000 (09:26 -0500)
committer Paymon MARANDI <darwinskernel@gmail.com>
Sun, 12 Mar 2023 16:24:01 +0000 (12:24 -0400)
diff --git a/mkosi/backend.py b/mkosi/backend.py

index e44de931d4dea9ab66f3242cb055e0e08f79270b..cbbe8c6215504ddff99ab4a98717a77aeb042505 100644 (file)
--- a/mkosi/backend.py
+++ b/mkosi/backend.py
@@ -482,15 +482,18 @@ def safe_tar_extract(tar: tarfile.TarFile, path: Path=Path("."), *, numeric_owne
      See https://github.com/advisories/GHSA-gw9q-c7gh-j9vm
      """
      path = path.resolve()
+    members = []
      for member in tar.getmembers():
          target = path / member.name
          try:
-            # a.relative_to(b) throws a ValueError if a is not a subpath of b
-            target.resolve().relative_to(path)
+            if not (member.ischr() or member.isblk()):
+                # a.relative_to(b) throws a ValueError if a is not a subpath of b
+                target.resolve().relative_to(path)
+                members += [member]
          except ValueError as e:
              raise MkosiException(f"Attempted path traversal in tar file {tar.name!r}") from e
  
-    tar.extractall(path, numeric_owner=numeric_owner)
+    tar.extractall(path, members=members, numeric_owner=numeric_owner)
  
  
  def disable_pam_securetty(root: Path) -> None:
author	Paymon MARANDI <Paymon MARANDI darwinskernel@gmail.com>
	Sun, 5 Mar 2023 14:26:07 +0000 (09:26 -0500)
committer	Paymon MARANDI <darwinskernel@gmail.com>
	Sun, 12 Mar 2023 16:24:01 +0000 (12:24 -0400)