This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: tarfile extract can write files outside the destination path
Type: security Stage: resolved
Components: Versions: Python 3.7, Python 3.6, Python 3.5, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: tarfile: Traversal attack vulnerability
View: 21109
Assigned To: Nosy List: Arfrever, gregory.p.smith, jwilk, r.david.murray, schmir, serhiy.storchaka, taleinat
Priority: normal Keywords:

Created on 2013-02-02 06:02 by gregory.p.smith, last changed 2022-04-11 14:57 by admin. This issue is now closed.

File name Uploaded Description Edit
absolute_path.tar gregory.p.smith, 2013-02-02 06:02 tar file with a single "/absolute_path" file in it.
Messages (4)
msg181133 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2013-02-02 06:02
Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking.

filed in response to which fixed the zipfile module for this.

I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.
msg181168 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2013-02-02 14:12
Please see issue issue 1044.  I have no opinion here, I just remembered that this had been discussed before.
msg181223 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2013-02-02 22:20
given issue 1044, this is not high priority.  i still think it'd be useful.
msg324191 - (view) Author: Tal Einat (taleinat) * (Python committer) Date: 2018-08-27 18:45
I suggest marking this as a duplicate of #21109, which is more general and includes most of the relevant discussion and patches.
Date User Action Args
2022-04-11 14:57:41adminsetgithub: 61304
2018-08-28 05:42:43gregory.p.smithsetstatus: open -> closed
superseder: tarfile: Traversal attack vulnerability
resolution: duplicate
stage: needs patch -> resolved
2018-08-27 18:45:05taleinatsetnosy: + taleinat
messages: + msg324191
2018-06-01 17:08:51jwilksetnosy: + jwilk
2016-09-24 21:57:22martin.panterlinkissue21109 dependencies
2016-09-08 23:42:27christian.heimessetstage: needs patch
versions: + Python 3.5, Python 3.6, Python 3.7, - Python 3.2, Python 3.3, Python 3.4
2013-02-03 04:31:27Arfreversetnosy: + Arfrever
2013-02-02 22:20:05gregory.p.smithsetpriority: high -> normal

messages: + msg181223
2013-02-02 14:12:13r.david.murraysetnosy: + r.david.murray
messages: + msg181168
2013-02-02 07:41:19serhiy.storchakasetnosy: + serhiy.storchaka
2013-02-02 06:55:53schmirsetnosy: + schmir
2013-02-02 06:02:27gregory.p.smithcreate