classification
Title: tarfile insecure pathname extraction
Type: behavior Stage:
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: works for me
Dependencies: Superseder:
Assigned To: lars.gustaebel Nosy List: doko, lars.gustaebel, matejcik
Priority: normal Keywords: patch

Created on 2007-08-28 10:09 by lars.gustaebel, last changed 2010-04-01 11:05 by doko. This issue is now closed.

Files
File name Uploaded Description Edit
insecure_pathnames.diff lars.gustaebel, 2007-08-28 10:09
Messages (6)
msg55361 - (view) Author: Lars Gustäbel (lars.gustaebel) * (Python committer) Date: 2007-08-28 10:09
tarfile does not check pathnames or linknames on extraction. This can
lead to data loss or attack scenarios when members with absolute
pathnames or pathnames outside of the archive's scope overwrite or
overlay existing files or directories.

Example for a symlink attack against /etc/passwd:

foo -> /etc
foo/passwd
msg55362 - (view) Author: jan matejek (matejcik) * Date: 2007-08-28 10:22
no change to extract() ?

otherwise looks good to me. if you don't object, i am applying this to
SUSE's python 2.5
msg55365 - (view) Author: Lars Gustäbel (lars.gustaebel) * (Python committer) Date: 2007-08-28 10:45
In principle I do not object, but this is a preliminary patch. I am
still not happy with the naming of the "check_paths" argument. Also, the
patch was made against the trunk which means that it contains hunks with
the new reStructuredText documentation. Please be patient.

I do not change extract() because it has become more and more a
low-level method over the years, that makes promises it cannot keep and
should not be used at all. I try to discourage its use in the documentation.
msg55464 - (view) Author: Lars Gustäbel (lars.gustaebel) * (Python committer) Date: 2007-08-30 08:03
After careful consideration and a private discussion with Martin I do no
longer think that we have a security issue here. tarfile.py does nothing
wrong, its behaviour conforms to the pax definition and pathname
resolution guidelines in POSIX. There is no known or possible practical
exploit.

I update the documentation with a warning, that it might be dangerous to
extract archives from untrusted sources. That is the only thing to be
done IMO.
msg55489 - (view) Author: jan matejek (matejcik) * Date: 2007-08-30 16:23
if that can be considered "official stance", it's fine by me. feel free
to close the bug.
msg55509 - (view) Author: Lars Gustäbel (lars.gustaebel) * (Python committer) Date: 2007-08-30 20:28
I updated the documentation, r57764 (trunk) and r57765 (2.5).
History
Date User Action Args
2010-04-01 11:05:53dokosetnosy: + doko
2007-08-30 20:28:31lars.gustaebelsetstatus: open -> closed
resolution: works for me
messages: + msg55509
2007-08-30 16:23:50matejciksetmessages: + msg55489
2007-08-30 08:03:25lars.gustaebelsettype: security -> behavior
messages: + msg55464
2007-08-28 10:45:21lars.gustaebelsetmessages: + msg55365
2007-08-28 10:22:34matejciksetmessages: + msg55362
2007-08-28 10:09:24lars.gustaebelcreate