You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's nothing stopping us from overwriting files that already exist when extracting, and it's hard to check for in advance given ZipFile.extract does some normalization of the path.
This would be bad if someone uploaded archive1.zip and archive2.zip, both containing wptreport.json and wptscreenshot.txt, which feels like a totally sensible thing to do.
We should probably just create a new temporary directory within self._temp_dir (via tempdir.mkdtemp(dir=self._temp_dir) for each archive file we're processing, and extract into that. This still isn't totally safe, but for there to be any risk you really need someone trying to be malicious.
The text was updated successfully, but these errors were encountered:
In the following:
wpt.fyi/results-processor/processor.py
Lines 200 to 210 in d6339c4
There's nothing stopping us from overwriting files that already exist when extracting, and it's hard to check for in advance given
ZipFile.extractdoes some normalization of the path.This would be bad if someone uploaded
archive1.zipandarchive2.zip, both containingwptreport.jsonandwptscreenshot.txt, which feels like a totally sensible thing to do.We should probably just create a new temporary directory within
self._temp_dir(viatempdir.mkdtemp(dir=self._temp_dir)for each archive file we're processing, and extract into that. This still isn't totally safe, but for there to be any risk you really need someone trying to be malicious.The text was updated successfully, but these errors were encountered: