[issue1044] tarfile insecure pathname extraction

2018-08-27 Thread Tal Einat
Change by Tal Einat : -- Removed message: https://bugs.python.org/msg324192 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue1044] tarfile insecure pathname extraction

2018-08-27 Thread Tal Einat
Tal Einat added the comment: I suggest marking this as a duplicate of #21109, which is more general and includes most of the relevant discussion and patches. -- nosy: +taleinat ___ Python tracker ___

[issue1044] tarfile insecure pathname extraction

2010-04-01 Thread Matthias Klose
Changes by Matthias Klose : -- nosy: +doko ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.or

[issue1044] tarfile insecure pathname extraction

2007-08-30 Thread Lars Gustäbel
Lars Gustäbel added the comment: I updated the documentation, r57764 (trunk) and r57765 (2.5). -- resolution: -> works for me status: open -> closed __ Tracker <[EMAIL PROTECTED]> __

[issue1044] tarfile insecure pathname extraction

2007-08-30 Thread jan matejek
jan matejek added the comment: if that can be considered "official stance", it's fine by me. feel free to close the bug. __ Tracker <[EMAIL PROTECTED]> __ __

[issue1044] tarfile insecure pathname extraction

2007-08-30 Thread Lars Gustäbel
Lars Gustäbel added the comment: After careful consideration and a private discussion with Martin I do no longer think that we have a security issue here. tarfile.py does nothing wrong, its behaviour conforms to the pax definition and pathname resolution guidelines in POSIX. There is no known or

[issue1044] tarfile insecure pathname extraction

2007-08-28 Thread Lars Gustäbel
Lars Gustäbel added the comment: In principle I do not object, but this is a preliminary patch. I am still not happy with the naming of the "check_paths" argument. Also, the patch was made against the trunk which means that it contains hunks with the new reStructuredText documentation. Please be

[issue1044] tarfile insecure pathname extraction

2007-08-28 Thread jan matejek
jan matejek added the comment: no change to extract() ? otherwise looks good to me. if you don't object, i am applying this to SUSE's python 2.5 __ Tracker <[EMAIL PROTECTED]> __ _

[issue1044] tarfile insecure pathname extraction

2007-08-28 Thread Lars Gustäbel
New submission from Lars Gustäbel: tarfile does not check pathnames or linknames on extraction. This can lead to data loss or attack scenarios when members with absolute pathnames or pathnames outside of the archive's scope overwrite or overlay existing files or directories. Example for a symlin