➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-12-16 14:21 by jvoisin, last changed 2022-04-11 14:59 by admin.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4 | jvoisin, 2019-12-16 14:21 | |||
| Messages (5) | |||
|---|---|---|---|
| msg358490 - (view) | Author: jvoisin (jvoisin) | Date: 2019-12-16 14:21 | |
The attached file produces the following stacktrace when opened via `tarfile.open`, on Python 3.7.5rc1:
```
$ cat tarrepro.py
import tarfile
import sys
with tarfile.open(sys.argv[1], errorlevel=2) as t:
for member in t.getmembers():
pass
$
```
```
$ python3 tarrepro.py crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4
Traceback (most recent call last):
File "tarrepro.py", line 4, in <module>
with tarfile.open(sys.argv[1], errorlevel=2) as t:
File "/usr/lib/python3.7/tarfile.py", line 1574, in open
return func(name, "r", fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1646, in gzopen
t = cls.taropen(name, mode, fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1622, in taropen
return cls(name, mode, fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1485, in __init__
self.firstmember = self.next()
File "/usr/lib/python3.7/tarfile.py", line 2290, in next
tarinfo = self.tarinfo.fromtarfile(self)
File "/usr/lib/python3.7/tarfile.py", line 1094, in fromtarfile
buf = tarfile.fileobj.read(BLOCKSIZE)
File "/usr/lib/python3.7/gzip.py", line 276, in read
return self._buffer.read(size)
File "/usr/lib/python3.7/_compression.py", line 68, in readinto
data = self.read(len(byte_view))
File "/usr/lib/python3.7/gzip.py", line 463, in read
if not self._read_gzip_header():
File "/usr/lib/python3.7/gzip.py", line 421, in _read_gzip_header
self._read_exact(extra_len)
File "/usr/lib/python3.7/gzip.py", line 400, in _read_exact
raise EOFError("Compressed file ended before the "
EOFError: Compressed file ended before the end-of-stream marker was reached
```
|
|||
| msg358492 - (view) | Author: Ronald Oussoren (ronaldoussoren) *  |
Date: 2019-12-16 15:12 | |
Looks like expected behaviour, the attached file is an incomplete compressed file that does not seem to contain data (according to gzcat) gzcat: crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4: unexpected end of file gzcat: crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4: uncompress failed |
|||
| msg358493 - (view) | Author: jvoisin (jvoisin) | Date: 2019-12-16 15:17 | |
Unfortunately, the documentation ( https://docs.python.org/3/library/tarfile.html) doesn't mention that EOFError is an exception that could be raised when using tarfile.open :/ |
|||
| msg358494 - (view) | Author: Ronald Oussoren (ronaldoussoren) * |
Date: 2019-12-16 15:25 | |
The stdlib documentation does in general not contain exhaustive documentation on exceptions that might be raised. |
|||
| msg358540 - (view) | Author: jvoisin (jvoisin) | Date: 2019-12-17 09:45 | |
Does it means that the right™ way to process untrusted tar files is to wrap every call to functions from tarfile.py in a `try: … except Exception:` block? |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:24 | admin | set | github: 83248 |
| 2019-12-17 09:45:27 | jvoisin | set | messages: + msg358540 |
| 2019-12-16 15:25:19 | ronaldoussoren | set | nosy:
+ docs@python messages: + msg358494 assignee: docs@python components: + Documentation |
| 2019-12-16 15:17:14 | jvoisin | set | messages: + msg358493 |
| 2019-12-16 15:12:02 | ronaldoussoren | set | nosy:
+ ronaldoussoren messages: + msg358492 |
| 2019-12-16 14:21:45 | jvoisin | create | |