Message 181133 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	gregory.p.smith
Recipients	gregory.p.smith
Date	2013年02月02日.06:02:26
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1359784947.71.0.187572651427.issue17102@psf.upfronthosting.co.za>

Content
Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking. filed in response to http://bugs.python.org/issue6972 which fixed the zipfile module for this. I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.

Content

Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking.
filed in response to http://bugs.python.org/issue6972 which fixed the zipfile module for this.
I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.

History
Date	User	Action	Args
2013年02月02日 06:02:27	gregory.p.smith	set	recipients: + gregory.p.smith
2013年02月02日 06:02:27	gregory.p.smith	set	messageid: <1359784947.71.0.187572651427.issue17102@psf.upfronthosting.co.za>
2013年02月02日 06:02:27	gregory.p.smith	link	issue17102 messages
2013年02月02日 06:02:26	gregory.p.smith	create

homepage