Using tarfile.tar_filter to avoid malicious files

invesalius · Sep 23, 2024 · f135478 · f135478
1 parent bac2e2a
commit f135478
Showing 1 changed file with 1 addition and 9 deletions.
diff --git a/invesalius/project.py b/invesalius/project.py
@@ -518,17 +518,9 @@ def Extract(filename: Union[str, bytes, os.PathLike], folder: Union[str, bytes,
     os.mkdir(os.path.join(folder, idir))
     filelist = []
     for t in tar.getmembers():
-        fsrc = tar.extractfile(t)
-        if fsrc is None:
-            raise Exception("Error extracting file")
+        tar.extract(t, path=folder, filter=tarfile.tar_filter)
         fname = os.path.join(folder, decode(t.name, "utf-8"))
-        fdst = open(fname, "wb")
-        shutil.copyfileobj(fsrc, fdst)
         filelist.append(fname)
-        fsrc.close()
-        fdst.close()
-        del fsrc
-        del fdst
     tar.close()
     return filelist