From b1c295934577c79d06b0c29de92267792554a9fa Mon Sep 17 00:00:00 2001 From: Etienne Trimaille Date: Wed, 7 Aug 2024 15:02:18 +0200 Subject: [PATCH] Fix tarfile security issue --- .docker/docker-compose.yml | 2 -- cadastre/cadastre_import.py | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml index 0c556ab9..12a88683 100644 --- a/.docker/docker-compose.yml +++ b/.docker/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.9' - networks: qgis_plugin_network: diff --git a/cadastre/cadastre_import.py b/cadastre/cadastre_import.py index f2b8500b..6260efec 100644 --- a/cadastre/cadastre_import.py +++ b/cadastre/cadastre_import.py @@ -638,7 +638,7 @@ def importEdigeo(self): self.dialog.connectionName, self.dialog.schema ) - ) + ) self.updateProgressBar() if self.go: @@ -1009,7 +1009,28 @@ def unzipFolderContent(self, path): for z in tarFileListA: with tarfile.open(z) as t: try: - t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i)) + # See https://docs.python.org/3.10/library/tarfile.html#tarfile.TarFile.extractall + # See https://peps.python.org/pep-0706/ + arguments = { + 'filter': 'data' + } + if (3, 8, 0) <= sys.version_info < (3, 8, 17) \ + or (3, 9, 0) <= sys.version_info < (3, 9, 17) \ + or (3, 10, 0) <= sys.version_info < (3, 10, 12): + msg = ( + "Version de Python obsolète, votre version comporte une faille de sécurité " + "concernant l'extraction d'une archive. Veuillez monter votre version de QGIS afin " + "de passer à une version plus récente dès que possible." + ) + self.qc.updateLog(f"{msg}") + # noinspection PyTypeChecker + QgsMessageLog.logMessage(msg, 'cadastre', Qgis.Warning) + arguments.pop('filter') + + t.extractall( + os.path.join(self.edigeoPlainDir, 'tar_%s' % i), + **arguments, + ) except tarfile.ReadError: # Issue GitHub #339 self.go = False @@ -1026,7 +1047,7 @@ def unzipFolderContent(self, path): for z in tarFileListB: with tarfile.open(z) as t: try: - t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i)) + t.extractall(os.path.join(self.edigeoPlainDir, f'tar_{i}')) except tarfile.ReadError: # Issue GitHub #339 self.go = False @@ -1039,7 +1060,7 @@ def unzipFolderContent(self, path): try: os.remove(z) except OSError: - self.qc.updateLog("Erreur lors de la suppression de %s" % str(z)) + self.qc.updateLog(f"Erreur lors de la suppression de {z}") pass # in Windows, sometime file is not unlocked except OSError: @@ -1161,7 +1182,6 @@ def executeSqlScript(self, scriptPath, divide=False, ignoreError=False): # Write comment taken from "-- some comment" lines for comment in cr.findall(sqla): - # Update timer before writing the comment # it will show the time taken by the previous statement self.updateTimer() @@ -1478,7 +1498,7 @@ def importEdigeoVecToDatabase(self, path): sql = "BEGIN;" for item in l: sql += "INSERT INTO edigeo_rel ( nom, de, vers) VALUES ( '{}', '{}', '{}');".format( - item[0], item[1], item[2]) + item[0], item[1], item[2]) sql += "COMMIT;" sql = CadastreCommon.setSearchPath(sql, self.dialog.schema) self.executeSqlQuery(sql) @@ -1571,10 +1591,10 @@ def getUpdateMultipolygonFromVecQuery(self, path, layerType='edigeo'): # only if the 2 geometries are related (object_rid is not unique) if self.dialog.dbType == 'postgis': sql += " AND geom @ ST_Transform(ST_GeomFromText('{}', {}), {}) ; ".format( - wkt, self.sourceSrid, self.targetSrid) + wkt, self.sourceSrid, self.targetSrid) else: sql += " AND ST_Intersects(geom, ST_Transform(ST_GeomFromText('{}', {}), {}) ); ".format( - wkt, self.sourceSrid, self.targetSrid) + wkt, self.sourceSrid, self.targetSrid) sqlList.append(sql) return sqlList