New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tarfile extractall() allows local attacker to overwrite files while extracting #46288
Comments
python 2.5.1 sets directories created to world-writeable while extracting which means |
I can confirm that this issue has been addressed in trunk tarfile.py. |
I noticed that in the trunk, ZipFile._extract_member, at line 865, still A quick grep shows that tarfile still uses the default permissions for |
Lars, can you take a look? |
This was fixed in the trunk in r53526 about a year ago following The os.mkdir() call in TarFile.makedir() uses the default mode, but the The os.makedirs() call in _extract_member() (trunk) is fine. It creates I attached a patchset against the release25-maint branch and the trunk |
Even though it does change existing behaviour, can anybody imagine a If not, I would consider this a security-relevant fix, and thus a |
os.mkdir() and os.makedirs() always apply the current umask to the mode. The only exception is in TarFile._extract_member() in Python <= 2.5.x |
I took the liberty of applying my patches to the trunk (r60588) and the |
Closing as fixed. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: