From ba03399ff8dddc3493115db7ef903d937a9a0c80 Mon Sep 17 00:00:00 2001 From: Nian Shi <1178396201@qq.com> Date: Tue, 1 Nov 2022 12:48:37 +0800 Subject: [PATCH 1/2] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index bc2bc09..7c31b5d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +## 航天宏图啥时候发PRCV2021的奖金呀?去年十月份,到今年十月份,都一年了啊!!!!!!!!!!!!!!!! + ## update 220518 - Coming soon! A Divided Spatial and Temporal Context Network for Remote Sensing Change Detection. ([config](#)/[log](#)) From ea1de11c043c098f115e3f51d22a081013a782a7 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Thu, 3 Nov 2022 04:10:58 +0000 Subject: [PATCH 2/2] Adding tarfile member sanitization to extractall() --- tools/convert_datasets/stare.py | 63 +++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 3 deletions(-) diff --git a/tools/convert_datasets/stare.py b/tools/convert_datasets/stare.py index 6238d62..58de7ca 100644 --- a/tools/convert_datasets/stare.py +++ b/tools/convert_datasets/stare.py @@ -55,7 +55,26 @@ def main(): print('Extracting stare-images.tar...') with tarfile.open(image_path) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -90,7 +109,26 @@ def main(): print('Extracting labels-ah.tar...') with tarfile.open(labels_ah) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -129,7 +167,26 @@ def main(): print('Extracting labels-vk.tar...') with tarfile.open(labels_vk) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz(