[Python-checkins] r88795 - in sandbox/branches/setuptools-0.6: EasyInstall.txt setuptools/archive_util.py

phillip.eby python-checkins at python.org
Wed Mar 23 22:09:16 CET 2011 

Author: phillip.eby
Date: Wed Mar 23 22:09:16 2011
New Revision: 88795

Log:
Fixed skipping extraction of files or directories containing '..' in 
their names.


Modified:
   sandbox/branches/setuptools-0.6/EasyInstall.txt
   sandbox/branches/setuptools-0.6/setuptools/archive_util.py

Modified: sandbox/branches/setuptools-0.6/EasyInstall.txt
==============================================================================
--- sandbox/branches/setuptools-0.6/EasyInstall.txt	(original)
+++ sandbox/branches/setuptools-0.6/EasyInstall.txt	Wed Mar 23 22:09:16 2011
@@ -1235,6 +1235,12 @@
 
  * Support user/password credentials in Subversion (svnserve) URLs
 
+ * Fixed problems accessing /dev/null inside the script sandbox, and the sandbox
+   swapping the ``open`` and file`` builtins.
+
+ * Fixed skipping extraction of files or directories containing '..' in their
+   names
+
 0.6c11
  * Fix installed script .exe files not working with 64-bit Python on Windows
    (wasn't actually released in 0.6c10 due to a lost checkin)

Modified: sandbox/branches/setuptools-0.6/setuptools/archive_util.py
==============================================================================
--- sandbox/branches/setuptools-0.6/setuptools/archive_util.py	(original)
+++ sandbox/branches/setuptools-0.6/setuptools/archive_util.py	Wed Mar 23 22:09:16 2011
@@ -138,7 +138,7 @@
             name = info.filename
 
             # don't extract absolute paths or ones with .. in them
-            if name.startswith('/') or '..' in name:
+            if name.startswith('/') or '..' in name.split('/'):
                 continue
 
             target = os.path.join(extract_dir, *name.split('/'))
@@ -180,7 +180,7 @@
         for member in tarobj:
             name = member.name
             # don't extract absolute paths or ones with .. in them
-            if not name.startswith('/') and '..' not in name:
+            if not name.startswith('/') and '..' not in name.split('/'):
                 dst = os.path.join(extract_dir, *name.split('/'))
                 while member is not None and (member.islnk() or member.issym()):
                     linkpath = member.linkname

More information about the Python-checkins mailing list