Message334920
| Author |
christian.heimes |
| Recipients |
SilentGhost, christian.heimes, jeffknupp, push0ebp, uhei3nn9 |
| Date |
2019年02月06日.10:32:47 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1549449167.79.0.248348545426.issue35909@roundup.psfhosted.org> |
| In-reply-to |
| Content |
You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable.
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar
$ mkdir /tmp/zipslip
$ cd /tmp/zipslip
Test zipfile:
$ python3
>>> import zipfile
>>> zf = zipfile.ZipFile('zip-slip.zip')
>>> zf.printdir()
File Name Modified Size
good.txt 2018年04月15日 22:04:30 19
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 2018年04月15日 22:04:42 20
>>> zf.extractall()
>>> exit()
$ find
.
./tmp
./tmp/evil.txt
./good.txt
./zip-slip.tar
./zip-slip.zip
Test tarfile
$ rm -rf good.txt tmp/
$ python3
>>> import tarfile
>>> import tarfile
>>> tf = tarfile.TarFile('zip-slip.tar')
>>> tf.list()
?rw-r--r-- grander/staff 19 2018年04月15日 19:04:29 good.txt
?rw-r--r-- grander/staff 20 2018年06月03日 13:49:05 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
>>> tf.extractall()
# find
.
./zip-slip.tar
./good.txt
./zip-slip.zip
# cat /tmp/evil.txt
this is an evil one |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2019年02月06日 10:32:49 | christian.heimes | set | recipients:
+ christian.heimes, SilentGhost, jeffknupp, push0ebp, uhei3nn9 |
| 2019年02月06日 10:32:47 | christian.heimes | set | messageid: <1549449167.79.0.248348545426.issue35909@roundup.psfhosted.org> |
| 2019年02月06日 10:32:47 | christian.heimes | link | issue35909 messages |
| 2019年02月06日 10:32:47 | christian.heimes | create |
|