Issue 17102: tarfile extract can write files outside the destination path

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/61304

classification

Title:	tarfile extract can write files outside the destination path
Type:	security	Stage:	resolved
Components:	Versions:	Python 3.7, Python 3.6, Python 3.5, Python 2.7

process

Status:	closed	Resolution:	duplicate
Dependencies:	Superseder:	tarfile: Traversal attack vulnerability View: 21109
Assigned To:	Nosy List:	Arfrever, gregory.p.smith, jwilk, r.david.murray, schmir, serhiy.storchaka, taleinat
Priority:	normal	Keywords:

Created on 2013年02月02日 06:02 by gregory.p.smith, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
absolute_path.tar	gregory.p.smith, 2013年02月02日 06:02	tar file with a single "/absolute_path" file in it.

Messages (4)
msg181133 - (view)	Author: Gregory P. Smith (gregory.p.smith) * (Python committer)	Date: 2013年02月02日 06:02
Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking. filed in response to http://bugs.python.org/issue6972 which fixed the zipfile module for this. I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.
msg181168 - (view)	Author: R. David Murray (r.david.murray) * (Python committer)	Date: 2013年02月02日 14:12
Please see issue issue 1044. I have no opinion here, I just remembered that this had been discussed before.
msg181223 - (view)	Author: Gregory P. Smith (gregory.p.smith) * (Python committer)	Date: 2013年02月02日 22:20
given issue 1044, this is not high priority. i still think it'd be useful.
msg324191 - (view)	Author: Tal Einat (taleinat) * (Python committer)	Date: 2018年08月27日 18:45
I suggest marking this as a duplicate of #21109, which is more general and includes most of the relevant discussion and patches.

History
Date	User	Action	Args
2022年04月11日 14:57:41	admin	set	github: 61304
2018年08月28日 05:42:43	gregory.p.smith	set	status: open -> closed superseder: tarfile: Traversal attack vulnerability resolution: duplicate stage: needs patch -> resolved
2018年08月27日 18:45:05	taleinat	set	nosy: + taleinat messages: + msg324191
2018年06月01日 17:08:51	jwilk	set	nosy: + jwilk
2016年09月24日 21:57:22	martin.panter	link	issue21109 dependencies
2016年09月08日 23:42:27	christian.heimes	set	stage: needs patch versions: + Python 3.5, Python 3.6, Python 3.7, - Python 3.2, Python 3.3, Python 3.4
2013年02月03日 04:31:27	Arfrever	set	nosy: + Arfrever
2013年02月02日 22:20:05	gregory.p.smith	set	priority: high -> normal messages: + msg181223
2013年02月02日 14:12:13	r.david.murray	set	nosy: + r.david.murray messages: + msg181168
2013年02月02日 07:41:19	serhiy.storchaka	set	nosy: + serhiy.storchaka
2013年02月02日 06:55:53	schmir	set	nosy: + schmir
2013年02月02日 06:02:27	gregory.p.smith	create

homepage