Python's relpath mischievous behavior affecting the archive extractability

Question

Python's relpath mischievous behavior affecting the archive extractability

1AdAstra1 opened this issue 9 years ago · 7 comments

Good afternoon!

Just have noticed a case of strange behavior of this script, resulting in my tarballs not extracting:

Olgas-Mac-mini:somesoftware_c490e0f4_5235ff0b oreznikova$ tar -xzf test.tar.gz
./../../../../../../../../var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/config/databases/geobaza/csv2mysql.sql: Path contains '..'
tar: Error exit delayed from previous errors.

I run the script this way (from another library's path, to archive the current directory):

/usr/bin/env /Users/oreznikova/WorkProjects/capistrano-git-copy/vendor/git-archive-all/git-archive-all --prefix='' ../test.tar.gz

I traced the call stack and found out that the project uses Python's 'relpath' function. So I put the temporary print statement into the script:

# Shell command returns absolute paths to submodules.
submodule_path = path.relpath(submodule_path, self.main_repo_abspath)
print(submodule_path)

And I saw it output a really weird path:

  /private/var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/../../../../../../../../var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_490e0f4_5235ff0b/repo/config/databases/geobaza/csv2mysql.sql => ../../../../../../../../var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/config/databases/geobaza/csv2mysql.sql

How can that happen? Is there anything a user can do to avoid such a behavior? Would be very thankful for any answer.

Answer 1 · 2015-08-04T16:07:15.000Z

@1AdAstra1 Could you also print submodule_path and self.main_repo_abspath?

Answer 2 · 2015-08-04T16:12:21.000Z

Yes, of course:

# Shell command returns absolute paths to submodules.
submodule_path = path.relpath(submodule_path, self.main_repo_abspath)
print("relative path: " + submodule_path)
print("absolute path: " + self.main_repo_abspath)

produces

relative path: ../../../../../../../../var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/config/databases
absolute path: /private/var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo

Answer 3 · 2015-08-04T16:13:58.000Z

Could you print submodule_path before it's changed?

Answer 4 · 2015-08-04T16:17:21.000Z

Ah, sorry, didn't get that. Sure, here it is:

# Shell command returns absolute paths to submodules.
print("submodule original path: " + submodule_path)
submodule_path = path.relpath(submodule_path, self.main_repo_abspath)
print("relative path: " + submodule_path)
print("absolute path: " + self.main_repo_abspath)

produces

submodule original path: /var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/config/databases
relative path: ../../../../../../../../var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo/config/databases
absolute path: /private/var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/somesoftware_c490e0f4_5235ff0b/repo

Answer 5 · 2015-08-04T16:20:41.000Z

I guess it's related to symlinks. /var is a symlink to /private/var/.

Answer 6 · 2015-08-04T16:21:34.000Z

@1AdAstra1 Try to replace https://github.com/Kentzo/git-archive-all/blob/master/git-archive-all#L288 with 'pwd -P'.

Answer 7 · 2015-08-04T16:23:23.000Z

Yep, seemed to produce the correct path now:

submodule original path: /private/var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/geoproxy_staging_c490e0f4_5235ff0b/repo/config/databases
relative path: config/databases
absolute path: /private/var/folders/yw/f7p3n2ds245d7p9cly1npc1h0000gn/T/geoproxy_staging_c490e0f4_5235ff0b/repo