3D-printing/Cura
1
0
Fork 0
mirror of https://github.com/Ultimaker/Cura.git synced 2025-07-24 23:23:57 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Check if main config file is in backup zip.

Browse source 
Prevent unpacking of possibly spoofed backups (as a last line of defence if other security has failed).
Zips with partially known content are a lot harder to spoof.
Thanks WhiteHats :-)
This commit is contained in:
Remco Burema 2020-01-31 16:26:30 +01:00
parent 1d34f1ecb4
commit a03a2885b6
No known key found for this signature in database
GPG key ID: 215C49431D43F98C
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
cura/Backups/Backup.py
View file

@ -145,6 +145,14 @@ class Backup:
# \return Whether we had success or not.
@staticmethod
def _extractArchive(archive: "ZipFile", target_path: str) -> bool:
# Implement security recommendations: Sanity check on zip files will make it harder to spoof.
from cura.CuraApplication import CuraApplication
config_filename = CuraApplication.getInstance().getApplicationName() + ".cfg" # Should be there if valid.
if config_filename not in [file.filename for file in archive.filelist]:
Logger.logException("e", "Unable to extract the backup due to corruption of compressed file(s).")
return False
Logger.log("d", "Removing current data in location: %s", target_path)
Resources.factoryReset()
Logger.log("d", "Extracting backup to location: %s", target_path)