From 357f9c7ebcc9c9b2474d99b2af36d06794dac441 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Berk=20Ba=C5=9Fo=C4=9Flu?= <batuhan@basoglu.ca>
Date: Sun, 21 Jan 2024 14:19:24 -0500
Subject: [PATCH] Added the Trellix's fix.

---
 .../pygments/lexers/_php_builtins.py          | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/venv/Lib/site-packages/pygments/lexers/_php_builtins.py b/venv/Lib/site-packages/pygments/lexers/_php_builtins.py
index ad54492f2..8508f2665 100644
--- a/venv/Lib/site-packages/pygments/lexers/_php_builtins.py
+++ b/venv/Lib/site-packages/pygments/lexers/_php_builtins.py
@@ -4726,7 +4726,26 @@ if __name__ == '__main__':  # pragma: no cover
     def get_php_references():
         download = urlretrieve(PHP_MANUAL_URL)
         with tarfile.open(download[0]) as tar:
-            tar.extractall()
+            def is_within_directory(directory, target):
+
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                return prefix == abs_directory
+
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+
+
+            safe_extract(tar)
         yield from glob.glob("%s%s" % (PHP_MANUAL_DIR, PHP_REFERENCE_GLOB))
         os.remove(download[0])