Bugfix: for absolute links in tarfile extraction

Explicitly use extract_root in output path instead of ./ to avoid issues with symlinks within directories.
onekey-sec · Feb 12, 2024 · fc60755 · fc60755
1 parent 76c29fe
commit fc60755
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/unblob/handlers/archive/_safe_tarfile.py b/unblob/handlers/archive/_safe_tarfile.py
@@ -82,7 +82,7 @@ def extract(self, tarinfo: tarfile.TarInfo, extract_root: Path):  # noqa: C901
                     "Absolute path as link target.",
                     "Converted to extraction relative path.",
                 )
-                tarinfo.linkname = f"./{tarinfo.linkname}"
+                tarinfo.linkname = f"{extract_root}/{tarinfo.linkname}"
 
             if not is_safe_path(
                 basedir=extract_root,