Message93021
| Author |
schmir |
| Recipients |
schmir |
| Date |
2009年09月22日.22:10:49 |
| SpamBayes Score |
6.670818e-05 |
| Marked as misclassified |
No |
| Message-id |
<1253657452.09.0.588869541997.issue6972@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
ZipFile.extractall happily overwrites any file on the filesystem. One
can put files with a name like "//etc/password" in a zip file and
extractall will overwrite /etc/password (with sufficient rights).
The docs say:
ZipFile.extractall([path[, members[, pwd]]])
Extract all members from the archive to the current working
directory. path specifies a different directory to extract to. members
is optional and must be a subset of the list returned by namelist(). pwd
is the password used for encrypted files.
I read that as: it will put all files into path or a subdirectory.
Using names like "../../../etc/password" also leads to files being
written outside that path directory. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2009年09月22日 22:10:52 | schmir | set | recipients:
+ schmir |
| 2009年09月22日 22:10:52 | schmir | set | messageid: <1253657452.09.0.588869541997.issue6972@psf.upfronthosting.co.za> |
| 2009年09月22日 22:10:50 | schmir | link | issue6972 messages |
| 2009年09月22日 22:10:49 | schmir | create |
|