Jakub Wilk <jw...@jwilk.net> added the comment:
I've tested Lars's patch against my collection of sly tarballs: https://github.com/jwilk/path-traversal-samples SafeTarFile defeated most, but not all attacks. It still allows directory traversal for these two tarfile: 1) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2a.tar lrwxrwxrwx cur -> . lrwxrwxrwx par -> cur/.. -rw-r--r-- par/moo 2) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2b.tar lrwxrwxrwx cur -> . lrwxrwxrwx cur/par -> .. -rw-r--r-- par/moo ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue21109> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
