From 9ebc62273ec8abfc4520660597fa80fe3de40203 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 24 Jun 2011 19:41:51 +0200 Subject: Preliminary support of .tar archives --- lib/archive.py | 31 +++++++++++++++++++++++++++++-- lib/mat.py | 22 ++++++++++++++++------ lib/parser.py | 6 ++++-- 3 files changed, 49 insertions(+), 10 deletions(-) diff --git a/lib/archive.py b/lib/archive.py index 6378cab..c8203c9 100644 --- a/lib/archive.py +++ b/lib/archive.py @@ -1,6 +1,33 @@ +import tarfile +import sys import parser +import mat class TarStripper(parser.Generic_parser): def remove_all(self): - for file in self.editor.array("file"): - print file.name + if not tarfile.is_tarfile(self.filename): + print('%s is not a valid tar file' % self.filename) + sys.exit(1) + + tarin = tarfile.open(self.filename, 'r') + tarout = tarfile.open(self.filename + parser.POSTFIX, 'w') + + for current_file in tarin.getmembers(): + tarin.extract(current_file) + if current_file.type is '0': #is current_file a regular file ? + #no backup file + class_file = mat.create_class_file(current_file.name, False) + class_file.remove_all() + tarout.add(current_file.name) + + #meta from the tar itself + tarout.mtime = None + + tarout.close() + tarin.close() + + def is_clean(self): + return False + + + diff --git a/lib/mat.py b/lib/mat.py index 6abcd64..156c683 100644 --- a/lib/mat.py +++ b/lib/mat.py @@ -14,7 +14,7 @@ import hachoir_editor import images import audio import misc -#import archive +import archive __version__ = "0.1" __author__ = "jvoisin" @@ -24,24 +24,34 @@ strippers = { hachoir_parser.image.PngFile: images.PngStripper, hachoir_parser.audio.MpegAudioFile: audio.MpegAudioStripper, hachoir_parser.misc.PDFDocument: misc.PdfStripper, - #hachoir_parser.archive.TarFile: archive.TarStripper, + hachoir_parser.archive.TarFile: archive.TarStripper, } -def create_class_file(name, backup): +def is_secure(filename): ''' - return a $FILETYPEStripper() class, - corresponding to the filetype of the given file + Prevent shell injection ''' if not(os.path.isfile(name)): #check if the file exist print("Error: %s is not a valid file" % name) sys.exit(1) + filename.strip('\s') #separations + filename.strip('`') #injection `rm / -Rf` + filename.strip('\$(.*)')#injection $(rm / -Rf) + filename.strip(';')#injection $filename;rm / -Rf + +def create_class_file(name, backup): + ''' + return a $FILETYPEStripper() class, + corresponding to the filetype of the given file + ''' + #is_secure(name) filename = "" realname = name filename = hachoir_core.cmd_line.unicodeFilename(name) parser = hachoir_parser.createParser(filename) if not parser: - print("Unable to parse the file %s : sorry" % filename) + print("Unable to parse the file %s with hachoir-parser." % filename) sys.exit(1) editor = hachoir_editor.createEditor(parser) diff --git a/lib/parser.py b/lib/parser.py index d629619..12ef15a 100644 --- a/lib/parser.py +++ b/lib/parser.py @@ -6,6 +6,7 @@ import hachoir_core.error import hachoir_parser import hachoir_editor import sys +import os import shutil POSTFIX = ".cleaned" @@ -25,6 +26,7 @@ class Generic_parser(): #FIXME : not secure at all ! try: shutil.rmtree(self.filename) + #shutil.subprocess('shutil' , '--remove', 'self.filename') except: print('Unable to remove %s' % self.filename) @@ -47,7 +49,7 @@ class Generic_parser(): hachoir_core.field.writeIntoFile(self.editor, self.filename + POSTFIX) if self.backup is False: self.secure_remove() #remove the old file - shutil.rename(self.filename+ POSTFIX, self.filename)#rename the new + os.rename(self.filename+ POSTFIX, self.filename)#rename the new def remove_all_ugly(self): ''' @@ -57,7 +59,7 @@ class Generic_parser(): In a perfect world, with nice fileformat, this method does not exist. ''' - raise NotImplementedError() + self.remove_all() def _remove(self, field): -- cgit v1.3