This patch was taken from upstream pywayland 0.4.15: https://github.com/flacjacket/pywayland/pull/42 --- a/doc/protocol_build.py 2022-07-24 11:03:10.000000000 -0700 +++ b/doc/protocol_build.py 2022-12-20 20:00:48.659884422 -0800 @@ -14,6 +14,24 @@ ) ) +def _is_within_directory(directory, target): + """Helper to check for CVE-2007-4559""" + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + +def _safe_extractall(tar, path=".", members=None, *, numeric_owner=False): + """Helper to check for CVE-2007-4559""" + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) def protocols_build(output_dir): from pywayland.scanner import Protocol @@ -26,7 +44,7 @@ protocol_dest = "wayland-protocols-{}".format(protocols_version) urllib.request.urlretrieve(protocols_source, protocol_dest + ".tar.xz") with tarfile.open(protocol_dest + ".tar.xz") as f: - f.extractall() + _safe_extractall(f) # walk the directory and generate all the protocols protocol_files = [wayland_file] + sorted(