Martin Panter added the comment:
Issue 21109 has been open for a while and is the same as this, if I am not
mistaken.
--
nosy: +martin.panter
resolution: -> duplicate
stage: -> resolved
status: open -> closed
superseder: -> tarfile: Traversal attack vulnerability
Eric V. Smith added the comment:
This is documented in the tarfile docs:
Warning
Never extract archives from untrusted sources without prior inspection. It is
possible that files are created outside of path, e.g. members that have
absolute filenames starting with "/" or filenames with two
New submission from daji ma :
tarfile missing cross-directory checking, like ../ or ..\, this potentially
cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile
def extract_tar(file_path, dest_path):
try:
with tarfile.open(file_path, 'r') as
