Specify filter='data' for tarball extractions

conda · Jun 25, 2024 · b625204 · b625204
1 parent fbbc298
commit b625204
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 26 deletions.
diff --git a/conda_build/convert.py b/conda_build/convert.py
@@ -131,9 +131,8 @@ def extract_temporary_directory(file_path):
     """
     temporary_directory = tempfile.mkdtemp()
 
-    source = tarfile.open(file_path)
-    source.extractall(temporary_directory)
-    source.close()
+    with tarfile.open(file_path) as tar:
+        tar.extractall(temporary_directory, filter="data")
 
     return temporary_directory
 

diff --git a/conda_build/render.py b/conda_build/render.py
@@ -934,7 +934,7 @@ def open_recipe(recipe: str | os.PathLike | Path) -> Iterator[Path]:
     elif recipe.suffixes in [[".tar"], [".tar", ".gz"], [".tgz"], [".tar", ".bz2"]]:
         # extract the recipe to a temporary directory
         with TemporaryDirectory() as tmp, tarfile.open(recipe, "r:*") as tar:
-            tar.extractall(path=tmp)
+            tar.extractall(path=tmp, filter="data")
             yield Path(tmp)
     elif recipe.suffix == ".yaml":
         # read the recipe from the parent directory

diff --git a/conda_build/utils.py b/conda_build/utils.py
@@ -783,32 +783,14 @@ def _tar_xf_fallback(tarball, dir_path, mode="r:*"):
     from .os_utils.external import find_executable
 
     if tarball.lower().endswith(".tar.z"):
-        uncompress = find_executable("uncompress")
+        uncompress = find_executable("uncompress") or find_executable("gunzip")
         if not uncompress:
-            uncompress = find_executable("gunzip")
-        if not uncompress:
-            sys.exit(
-                """\
-uncompress (or gunzip) is required to unarchive .z source files.
-"""
-            )
+            sys.exit("uncompress/gunzip is required to unarchive .z source files.")
         check_call_env([uncompress, "-f", tarball])
         tarball = tarball[:-2]
 
-    t = tarfile.open(tarball, mode)
-    members = t.getmembers()
-    for i, member in enumerate(members, 0):
-        if os.path.isabs(member.name):
-            member.name = os.path.relpath(member.name, "/")
-        cwd = os.path.realpath(os.getcwd())
-        if not os.path.realpath(member.name).startswith(cwd):
-            member.name = member.name.replace("../", "")
-        if not os.path.realpath(member.name).startswith(cwd):
-            sys.exit("tarball contains unsafe path: " + member.name + " cwd is: " + cwd)
-        members[i] = member
-
-    t.extractall(path=dir_path)
-    t.close()
+    with tarfile.open(tarball, mode) as tar:
+        tar.extractall(path=dir_path, filter="data")
 
 
 def tar_xf_file(tarball, entries):