homepage

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author jwilk
Recipients Arfrever, Daniel.Garcia, Philippe.Godbout, benjamin.peterson, christian.heimes, edulix, georg.brandl, jcea, jwilk, lars.gustaebel, martin.panter, ned.deily, r.david.murray, serhiy.storchaka, taleinat, vstinner
Date 2018年08月28日.16:14:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content 
I've tested Lars's patch against my collection of sly tarballs:
https://github.com/jwilk/path-traversal-samples
SafeTarFile defeated most, but not all attacks.
It still allows directory traversal for these two tarfile:
1) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2a.tar
lrwxrwxrwx cur -> .
lrwxrwxrwx par -> cur/..
-rw-r--r-- par/moo
2) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2b.tar
lrwxrwxrwx cur -> .
lrwxrwxrwx cur/par -> ..
-rw-r--r-- par/moo
History
Date User Action Args
2018年08月28日 16:14:47jwilksetrecipients: + jwilk, georg.brandl, jcea, lars.gustaebel, vstinner, taleinat, christian.heimes, benjamin.peterson, ned.deily, Arfrever, r.david.murray, martin.panter, serhiy.storchaka, edulix, Daniel.Garcia, Philippe.Godbout
2018年08月28日 16:14:47jwilksetmessageid: <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
2018年08月28日 16:14:47jwilklinkissue21109 messages
2018年08月28日 16:14:46jwilkcreate

AltStyle によって変換されたページ (->オリジナル) /