[Pkg-privacy-commits] [Git][pkg-privacy-team/mat2][upstream] New upstream version 0.13.0
Georg Faerber (@georg)
georg at debian.org
Thu Jul 7 12:10:02 BST 2022
Georg Faerber pushed to branch upstream at Privacy Maintainers / mat2
Commits:
38949b6d by Georg Faerber at 2022-07-07T10:55:43+00:00
New upstream version 0.13.0
- - - - -
9 changed files:
- CHANGELOG.md
- doc/mat2.1
- libmat2/archive.py
- libmat2/images.py
- libmat2/parser_factory.py
- mat2
- setup.py
- + tests/data/dirty.heic
- tests/test_libmat2.py
Changes:
=====================================
CHANGELOG.md
=====================================
@@ -1,3 +1,8 @@
+# 0.13.0 - 2022-07-06
+
+- Fix an arbitrary file read
+- Add support for heic files
+
# 0.12.4 - 2022-04-30
- Fix possible errors/crashes when processing multiple files
=====================================
doc/mat2.1
=====================================
@@ -1,4 +1,4 @@
-.TH mat2 "1" "April 2022" "mat2 0.12.4" "User Commands"
+.TH mat2 "1" "July 2022" "mat2 0.13.0" "User Commands"
.SH NAME
mat2 \- the metadata anonymisation toolkit 2
=====================================
libmat2/archive.py
=====================================
@@ -179,7 +179,7 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
# Some fileformats do require to have the `mimetype` file
# as the first file in the archive.
if self._get_member_name(item) == 'mimetype':
- items = [item] + items
+ items.insert(0, item)
else:
items.append(item)
@@ -190,17 +190,33 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
if member_name[-1] == '/': # `is_dir` is added in Python3.6
continue # don't keep empty folders
- zin.extract(member=item, path=temp_folder)
full_path = os.path.join(temp_folder, member_name)
+ if not os.path.abspath(full_path).startswith(temp_folder):
+ logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
+ self.filename, member_name, full_path)
+ abort = True
+ break
+
+ zin.extract(member=item, path=temp_folder)
+
+ try:
+ original_permissions = os.stat(full_path).st_mode
+ except FileNotFoundError:
+ logging.error("Something went wrong during processing of "
+ "%s in %s, likely a path traversal attack.",
+ member_name, self.filename)
+ abort = True
+ # we're breaking instead of continuing, because this exception
+ # is raised in case of weird path-traversal-like atttacks.
+ break
- original_permissions = os.stat(full_path).st_mode
os.chmod(full_path, original_permissions | stat.S_IWUSR | stat.S_IRUSR)
original_compression = self._get_member_compression(item)
if self._specific_cleanup(full_path) is False:
- logging.warning("Something went wrong during deep cleaning of %s",
- member_name)
+ logging.warning("Something went wrong during deep cleaning of %s in %s",
+ member_name, self.filename)
abort = True
continue
=====================================
libmat2/images.py
=====================================
@@ -181,3 +181,23 @@ class PPMParser(abstract.AbstractParser):
line = re.sub(r"\s+", "", line, flags=re.UNICODE)
fout.write(line)
return True
+
+class HEICParser(exiftool.ExiftoolParser):
+ mimetypes = {'image/heic'}
+ meta_allowlist = {'SourceFile', 'ExifToolVersion', 'FileName','Directory',
+ 'FileSize', 'FileModifyDate', 'FileAccessDate',
+ 'FileInodeChangeDate', 'FilePermissions', 'FileType',
+ 'FileTypeExtension', 'MIMEType', 'MajorBrand', 'MinorVersion',
+ 'CompatibleBrands','HandlerType', 'PrimaryItemReference',
+ 'HEVCConfigurationVersion', 'GeneralProfileSpace',
+ 'GeneralTierFlag', 'GeneralProfileIDC',
+ 'GenProfileCompatibilityFlags', 'ConstraintIndicatorFlags',
+ 'GeneralLevelIDC', 'MinSpatialSegmentationIDC',
+ 'ParallelismType','ChromaFormat', 'BitDepthLuma', 'BitDepthChroma',
+ 'NumTemporalLayers', 'TemporalIDNested', 'ImageWidth',
+ 'ImageHeight', 'ImageSpatialExtent', 'ImagePixelDepth',
+ 'AverageFrameRate', 'ConstantFrameRate', 'MediaDataSize',
+ 'MediaDataOffset','ImageSize', 'Megapixels'}
+
+ def remove_all(self) -> bool:
+ return self._lightweight_cleanup()
=====================================
libmat2/parser_factory.py
=====================================
@@ -11,6 +11,10 @@ T = TypeVar('T', bound='abstract.AbstractParser')
mimetypes.add_type('application/epub+zip', '.epub')
mimetypes.add_type('application/x-dtbncx+xml', '.ncx') # EPUB Navigation Control XML File
+# This should be removed after we move to python3.10
+# https://github.com/python/cpython/commit/20a5b7e986377bdfd929d7e8c4e3db5847dfdb2d
+mimetypes.add_type('image/heic', '.heic')
+
def __load_all_parsers():
""" Loads every parser in a dynamic way """
=====================================
mat2
=====================================
@@ -17,7 +17,7 @@ except ValueError as ex:
print(ex)
sys.exit(1)
-__version__ = '0.12.4'
+__version__ = '0.13.0'
# Make pyflakes happy
assert Set
=====================================
setup.py
=====================================
@@ -5,7 +5,7 @@ with open("README.md", encoding='utf-8') as fh:
setuptools.setup(
name="mat2",
- version='0.12.4',
+ version='0.13.0',
author="Julien (jvoisin) Voisin",
author_email="julien.voisin+mat2 at dustri.org",
description="A handy tool to trash your metadata",
=====================================
tests/data/dirty.heic
=====================================
Binary files /dev/null and b/tests/data/dirty.heic differ
=====================================
tests/test_libmat2.py
=====================================
@@ -251,6 +251,12 @@ class TestGetMeta(unittest.TestCase):
meta = p.get_meta()
self.assertEqual(meta['Name'], 'I am so')
+ def test_heic(self):
+ p = images.HEICParser('./tests/data/dirty.heic')
+ meta = p.get_meta()
+ self.assertEqual(meta['ProfileCopyright'], 'Public Domain')
+ self.assertEqual(meta['ProfileDescription'], 'GIMP built-in sRGB')
+
class TestRemovingThumbnails(unittest.TestCase):
def test_odt(self):
@@ -504,6 +510,11 @@ class TestCleaning(unittest.TestCase):
'EncodingSettings': 'Lavf52.103.0',
},
'expected_meta': {},
+ },{
+ 'name': 'heic',
+ 'parser': images.HEICParser,
+ 'meta': {},
+ 'expected_meta': {},
}
]
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/mat2/-/commit/38949b6d4b02fc98dee4b37206b8dab7d2a4efab
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/mat2/-/commit/38949b6d4b02fc98dee4b37206b8dab7d2a4efab
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20220707/8a259b2a/attachment-0001.htm>
More information about the Pkg-privacy-commits
mailing list