Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c.
2025-10-26 15:16:09 +00:00 · 2025-09-16 17:13:36 +02:00
parent 41b43c74bd
commit 924a0c092e
5 changed files with 48 additions and 1 deletions
--- a/tests/utils_tests/test_archive.py
+++ b/tests/utils_tests/test_archive.py
@@ -3,6 +3,7 @@ import stat
 import sys
 import tempfile
 import unittest
+import zipfile

 from django.core.exceptions import SuspiciousOperation
 from django.test import SimpleTestCase
@@ -94,3 +95,21 @@ class TestArchiveInvalid(SimpleTestCase):
            with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir:
                with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path):
                    archive.extract(os.path.join(archives_dir, entry), tmpdir)
+
+    def test_extract_function_traversal_startswith(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            base = os.path.abspath(tmpdir)
+            tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False)
+            tar_path = tarfile_handle.name
+            tarfile_handle.close()
+            self.addCleanup(os.remove, tar_path)
+
+            malicious_member = os.path.join(base + "abc", "evil.txt")
+            with zipfile.ZipFile(tar_path, "w") as zf:
+                zf.writestr(malicious_member, "evil\n")
+                zf.writestr("test.txt", "data\n")
+
+            with self.assertRaisesMessage(
+                SuspiciousOperation, "Archive contains invalid path"
+            ):
+                archive.extract(tar_path, base)