fix(backups): skip pontentially bogus files in backups

WeblateOrg · Jun 28, 2024 · b6a7eac · b6a7eac
1 parent 0137a35
commit b6a7eac
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/weblate/trans/backups.py b/weblate/trans/backups.py
@@ -601,9 +601,11 @@ def restore(self, project_name: str, project_slug: str, user, billing=None):
             # Extract VCS
             for name in zipfile.namelist():
                 if name.startswith(self.VCS_PREFIX):
-                    targetpath = os.path.join(
-                        project.full_path, name[self.VCS_PREFIX_LEN :]
-                    )
+                    path = name[self.VCS_PREFIX_LEN :]
+                    # Skip potentially dangerous paths
+                    if path != os.path.normpath(path):
+                        continue
+                    targetpath = os.path.join(project.full_path, path)
                     upperdirs = os.path.dirname(targetpath)
                     if upperdirs and not os.path.exists(upperdirs):
                         os.makedirs(upperdirs)