Martin Panter added the comment:
Seems like shutil._unpack_tarfile() is affected. I guess it could at least do
with one of those warnings in the documentation for make_archive().
The patch for this bug looks a bit over enthusiastic, for example
skip_prefixes("blaua../stuff") would incorrectly strip the first bit and just
return "stuff".
It seems there might already be plenty of existing code to check for bad paths.
Examples that come to mind:
* http.server.SimpleHTTPRequestHandler.translate_path()
* zipfile.ZipFile._extract_member()
* shutil._unpack_zipfile()
This code either ignores the bad path elements, or ignores the whole path.
Perhaps some of it could be recycled into a common function somewhere, rather
than implementing it all over again for tar files.
I have written my own function joinpath() to do this sort of checking, which
you are welcome to use:
https://bitbucket.org/vadmium/pyrescene/src/34264f6/rescene/utility.py#cl-217
You would call it with something like joinpath(tarpath.split("/"), osdir).
----------
nosy: +vadmium
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue21109>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
