Message93305
| Author |
twb |
| Recipients |
amaury.forgeotdarc, schmir, twb |
| Date |
2009年09月29日.17:20:07 |
| SpamBayes Score |
6.812384e-12 |
| Marked as misclassified |
No |
| Message-id |
<1254244809.86.0.528071888958.issue6972@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
My working solution is to iterate through members, and ensuring that
os.path.abspath(os.path.join(path, member)) always .startswith(path).
This seems like a better solution than trying to trap on a pattern in
the string. Presumably the same fix can be made to tarfile.
For what it's worth, OS X's BOMArchiveManager will place a file stored
as '../foo.txt' in the extract path, not the directory right outside it.
While we're on the topic, there may also be a bug in this, or the
tarfile package that would allow a malicious archive to extract a
symlink to an existing directory somewhere on the target machine, and
files extracted to that symlink. I haven't really thought that through,
but I'm sure that my fix won't correct that possible issue. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2009年09月29日 17:20:09 | twb | set | recipients:
+ twb, amaury.forgeotdarc, schmir |
| 2009年09月29日 17:20:09 | twb | set | messageid: <1254244809.86.0.528071888958.issue6972@psf.upfronthosting.co.za> |
| 2009年09月29日 17:20:08 | twb | link | issue6972 messages |
| 2009年09月29日 17:20:07 | twb | create |
|