Thomas W. Barr <t...@rice.edu> added the comment: My working solution is to iterate through members, and ensuring that os.path.abspath(os.path.join(path, member)) always .startswith(path). This seems like a better solution than trying to trap on a pattern in the string. Presumably the same fix can be made to tarfile.
For what it's worth, OS X's BOMArchiveManager will place a file stored as '../foo.txt' in the extract path, not the directory right outside it. While we're on the topic, there may also be a bug in this, or the tarfile package that would allow a malicious archive to extract a symlink to an existing directory somewhere on the target machine, and files extracted to that symlink. I haven't really thought that through, but I'm sure that my fix won't correct that possible issue. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue6972> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
