This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gregory.p.smith
Recipients gregory.p.smith
Date 2013-02-02.06:02:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Create a malicious .tar file with entries containing absolute or relative paths and the tarfile module happily uses them as is without sanity checking.

filed in response to which fixed the zipfile module for this.

I'm attaching an example tar file to demonstrate this (safely) but much worse things could obviously be done.
Date User Action Args
2013-02-02 06:02:27gregory.p.smithsetrecipients: + gregory.p.smith
2013-02-02 06:02:27gregory.p.smithsetmessageid: <>
2013-02-02 06:02:27gregory.p.smithlinkissue17102 messages
2013-02-02 06:02:26gregory.p.smithcreate