classification
Title: tarfile extract can write files outside the destination path
Type: security Stage: resolved
Components: Versions: Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: tarfile: Traversal attack vulnerability
View: 21109
Assigned To: Nosy List: Arfrever, gregory.p.smith, jwilk, r.david.murray, schmir, serhiy.storchaka, taleinat
Priority: normal Keywords:

Created on 2013-02-02 06:02 by gregory.p.smith, last changed 2018-08-28 05:42 by gregory.p.smith. This issue is now closed.

Files
File name Uploaded Description Edit
absolute_path.tar gregory.p.smith, 2013-02-02 06:02 tar file with a single "/absolute_path" file in it.
Messages (4)
msg181133 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2013-02-02 06:02
Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking.

filed in response to http://bugs.python.org/issue6972 which fixed the zipfile module for this.

I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.
msg181168 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2013-02-02 14:12
Please see issue issue 1044.  I have no opinion here, I just remembered that this had been discussed before.
msg181223 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2013-02-02 22:20
given issue 1044, this is not high priority.  i still think it'd be useful.
msg324191 - (view) Author: Tal Einat (taleinat) * (Python committer) Date: 2018-08-27 18:45
I suggest marking this as a duplicate of #21109, which is more general and includes most of the relevant discussion and patches.
History
Date User Action Args
2018-08-28 05:42:43gregory.p.smithsetstatus: open -> closed
superseder: tarfile: Traversal attack vulnerability
resolution: duplicate
stage: needs patch -> resolved
2018-08-27 18:45:05taleinatsetnosy: + taleinat
messages: + msg324191
2018-06-01 17:08:51jwilksetnosy: + jwilk
2016-09-24 21:57:22martin.panterlinkissue21109 dependencies
2016-09-08 23:42:27christian.heimessetstage: needs patch
versions: + Python 3.5, Python 3.6, Python 3.7, - Python 3.2, Python 3.3, Python 3.4
2013-02-03 04:31:27Arfreversetnosy: + Arfrever
2013-02-02 22:20:05gregory.p.smithsetpriority: high -> normal

messages: + msg181223
2013-02-02 14:12:13r.david.murraysetnosy: + r.david.murray
messages: + msg181168
2013-02-02 07:41:19serhiy.storchakasetnosy: + serhiy.storchaka
2013-02-02 06:55:53schmirsetnosy: + schmir
2013-02-02 06:02:27gregory.p.smithcreate