From cdddb7528b97b35e6df9c63a516dbcfca01dc10a Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Tue, 25 Aug 2015 12:55:10 +0530
Subject: [PATCH] Make extracting the icon files a little safer

---
 src/calibre/gui2/icon_theme.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/calibre/gui2/icon_theme.py b/src/calibre/gui2/icon_theme.py
index 7f5d25f195..e421e26cc2 100644
--- a/src/calibre/gui2/icon_theme.py
+++ b/src/calibre/gui2/icon_theme.py
@@ -685,19 +685,24 @@ def remove_icon_theme():
     os.remove(metadata_file)
 
 def install_icon_theme(theme, f):
-    icdir = os.path.join(config_dir, 'resources', 'images')
+    icdir = os.path.abspath(os.path.join(config_dir, 'resources', 'images'))
     if not os.path.exists(icdir):
         os.makedirs(icdir)
     theme['files'] = set()
     metadata_file = os.path.join(icdir, 'icon-theme.json')
     with ZipFile(f) as zf:
         for name in zf.namelist():
+            if '..' in name:
+                continue
             base = icdir
             if '/' in name:
                 base = os.path.join(icdir, os.path.dirname(name))
                 if not os.path.exists(base):
                     os.makedirs(base)
-            with zf.open(name) as src, open(os.path.join(base, os.path.basename(name)), 'wb') as dest:
+            destpath = os.path.abspath(os.path.join(base, os.path.basename(name)))
+            if not destpath.startswith(icdir):
+                continue
+            with zf.open(name) as src, open(destpath, 'wb') as dest:
                 shutil.copyfileobj(src, dest)
             theme['files'].add(name)