Issue 35669: tar symlink - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/79850

classification

Title:	tar symlink
Type:	security	Stage:
Components:	Library (Lib), macOS, Windows	Versions:	Python 3.8, Python 2.7

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	Jeffrey.Kintscher, Yilmaz, epicfaace, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, xtreak, zach.ware
Priority:	normal	Keywords:

Created on 2019-01-06 09:08 by Yilmaz, last changed 2022-04-11 14:59 by admin.

Messages (4)
msg333094 - (view)	Author: Yigit Can (Yilmaz)	Date: 2019-01-06 09:08
##Summary: A TAR file can escape the Python working directory with symlink. #Steps to reproduce: 1- Create a directory in Desktop (for example : testbolum) 2- Enter the path with "cd" command. 3- Create a symbolic link with "ln" command ( ln -s ../ symlink ). 4- Create a test files with "touch" command (touch ../testfile) 5- Create a tar file with "tar" command line tool ( tar -czvf proofofconcept.tar symlink/ symlink/testfile) 6- Delete "symlink" with "rm" command 7- Delete "../testfile" with "rm" command 8- Run "extract_tar.py" You can see "testfile" in "../" path Proof of concept: "status_python.mp4" ##Status on ptar: Apply the steps to reproduce for "ptar". ptar warning the user. You can see "status_on_ptarsymlink_file.mp4". ##Status on tar: Apply the steps to reproduce for "tar". tar warning the user. You can see "status_on_tarsymlink_file.mp4". #Note for Step 3: You can set a other path for example ( ln -s /user/test/area/ symlink) Python should be check symbolic link . The user may not be aware of this. This issue may also cause the software service to run in macos. ##Proof of concept files: http://yigittestman.000webhostapp.com/ta/ ##Impact: when the user tar file is extracting, the file will be sent to the desired location of the attacker. This issue may also cause the software service to mount in macOS.
msg333097 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-01-06 09:38
Thanks for the report. Is this similar to issue21109?
msg333101 - (view)	Author: Yigit Can (Yilmaz)	Date: 2019-01-06 11:07
Similar but not same.
msg349608 - (view)	Author: Ashwin Ramaswami (epicfaace) *	Date: 2019-08-13 19:15
I believe the SafeTarFile class proposed in issue21109 fixes this.

History
Date	User	Action	Args
2022-04-11 14:59:10	admin	set	github: 79850
2019-08-13 19:15:08	epicfaace	set	nosy: + epicfaace messages: + msg349608
2019-06-05 23:52:30	Jeffrey.Kintscher	set	nosy: + Jeffrey.Kintscher
2019-01-06 11:07:33	Yilmaz	set	messages: + msg333101
2019-01-06 09:38:30	xtreak	set	nosy: + xtreak messages: + msg333097
2019-01-06 09:08:11	Yilmaz	create