Message216675
| Author |
martin.panter |
| Recipients |
Daniel.Garcia, benjamin.peterson, christian.heimes, georg.brandl, larry, lars.gustaebel, martin.panter, ned.deily, r.david.murray, serhiy.storchaka, vstinner |
| Date |
2014年04月17日.08:41:35 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1397724096.17.0.178140787736.issue21109@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Seems like shutil._unpack_tarfile() is affected. I guess it could at least do with one of those warnings in the documentation for make_archive().
The patch for this bug looks a bit over enthusiastic, for example skip_prefixes("blaua../stuff") would incorrectly strip the first bit and just return "stuff".
It seems there might already be plenty of existing code to check for bad paths. Examples that come to mind:
* http.server.SimpleHTTPRequestHandler.translate_path()
* zipfile.ZipFile._extract_member()
* shutil._unpack_zipfile()
This code either ignores the bad path elements, or ignores the whole path. Perhaps some of it could be recycled into a common function somewhere, rather than implementing it all over again for tar files.
I have written my own function joinpath() to do this sort of checking, which you are welcome to use:
https://bitbucket.org/vadmium/pyrescene/src/34264f6/rescene/utility.py#cl-217
You would call it with something like joinpath(tarpath.split("/"), osdir). |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2014年04月17日 08:41:36 | martin.panter | set | recipients:
+ martin.panter, georg.brandl, lars.gustaebel, vstinner, larry, christian.heimes, benjamin.peterson, ned.deily, r.david.murray, serhiy.storchaka, Daniel.Garcia |
| 2014年04月17日 08:41:36 | martin.panter | set | messageid: <1397724096.17.0.178140787736.issue21109@psf.upfronthosting.co.za> |
| 2014年04月17日 08:41:36 | martin.panter | link | issue21109 messages |
| 2014年04月17日 08:41:35 | martin.panter | create |
|