Skip to content

Commit

Permalink
Merge pull request #457 from Gustry/python-version-tar
Browse files Browse the repository at this point in the history 
Fix tarfile security issue
  • Loading branch information
@Gustry
Gustry authored Aug 9, 2024
2 parents 5fe6b6c + b1c2959 commit 05a40c2
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 10 deletions.
2 changes: 0 additions & 2 deletions .docker/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
version: '3.9'

networks:
qgis_plugin_network:

Expand Down
36 changes: 28 additions & 8 deletions cadastre/cadastre_import.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -638,7 +638,7 @@ def importEdigeo(self):
self.dialog.connectionName,
self.dialog.schema
)
)
)
self.updateProgressBar()

if self.go:
Expand Down Expand Up @@ -1009,7 +1009,28 @@ def unzipFolderContent(self, path):
for z in tarFileListA:
with tarfile.open(z) as t:
try:
t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i))
# See https://docs.python.org/3.10/library/tarfile.html#tarfile.TarFile.extractall
# See https://peps.python.org/pep-0706/
arguments = {
'filter': 'data'
}
if (3, 8, 0) <= sys.version_info < (3, 8, 17) \
or (3, 9, 0) <= sys.version_info < (3, 9, 17) \
or (3, 10, 0) <= sys.version_info < (3, 10, 12):
msg = (
"Version de Python obsolète, votre version comporte une faille de sécurité "
"concernant l'extraction d'une archive. Veuillez monter votre version de QGIS afin "
"de passer à une version plus récente dès que possible."
)
self.qc.updateLog(f"<b>{msg}</b>")
# noinspection PyTypeChecker
QgsMessageLog.logMessage(msg, 'cadastre', Qgis.Warning)
arguments.pop('filter')

t.extractall(
os.path.join(self.edigeoPlainDir, 'tar_%s' % i),
**arguments,
)
except tarfile.ReadError:
# Issue GitHub #339
self.go = False
Expand All @@ -1026,7 +1047,7 @@ def unzipFolderContent(self, path):
for z in tarFileListB:
with tarfile.open(z) as t:
try:
t.extractall(os.path.join(self.edigeoPlainDir, 'tar_%s' % i))
t.extractall(os.path.join(self.edigeoPlainDir, f'tar_{i}'))
except tarfile.ReadError:
# Issue GitHub #339
self.go = False
Expand All @@ -1039,7 +1060,7 @@ def unzipFolderContent(self, path):
try:
os.remove(z)
except OSError:
self.qc.updateLog("<b>Erreur lors de la suppression de %s</b>" % str(z))
self.qc.updateLog(f"<b>Erreur lors de la suppression de {z}</b>")
pass # in Windows, sometime file is not unlocked

except OSError:
Expand Down Expand Up @@ -1161,7 +1182,6 @@ def executeSqlScript(self, scriptPath, divide=False, ignoreError=False):

# Write comment taken from "-- some comment" lines
for comment in cr.findall(sqla):

# Update timer before writing the comment
# it will show the time taken by the previous statement
self.updateTimer()
Expand Down Expand Up @@ -1478,7 +1498,7 @@ def importEdigeoVecToDatabase(self, path):
sql = "BEGIN;"
for item in l:
sql += "INSERT INTO edigeo_rel ( nom, de, vers) VALUES ( '{}', '{}', '{}');".format(
item[0], item[1], item[2])
item[0], item[1], item[2])
sql += "COMMIT;"
sql = CadastreCommon.setSearchPath(sql, self.dialog.schema)
self.executeSqlQuery(sql)
Expand Down Expand Up @@ -1571,10 +1591,10 @@ def getUpdateMultipolygonFromVecQuery(self, path, layerType='edigeo'):
# only if the 2 geometries are related (object_rid is not unique)
if self.dialog.dbType == 'postgis':
sql += " AND geom @ ST_Transform(ST_GeomFromText('{}', {}), {}) ; ".format(
wkt, self.sourceSrid, self.targetSrid)
wkt, self.sourceSrid, self.targetSrid)
else:
sql += " AND ST_Intersects(geom, ST_Transform(ST_GeomFromText('{}', {}), {}) ); ".format(
wkt, self.sourceSrid, self.targetSrid)
wkt, self.sourceSrid, self.targetSrid)
sqlList.append(sql)

return sqlList
Expand Down

0 comments on commit 05a40c2

Please sign in to comment.