Message 215222 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Daniel.Garcia
Recipients	Daniel.Garcia
Date	2014-03-31.08:14:17
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1396253659.12.0.842636239516.issue21109@psf.upfronthosting.co.za>
In-reply-to

Content
The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files. I've view this vulnerability in libtar: http://lwn.net/Vulnerabilities/587141/ I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack.

The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.

I've view this vulnerability in libtar:
http://lwn.net/Vulnerabilities/587141/
I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack.

History
Date	User	Action	Args
2014-03-31 08:14:19	Daniel.Garcia	set	recipients: + Daniel.Garcia
2014-03-31 08:14:19	Daniel.Garcia	set	messageid: <1396253659.12.0.842636239516.issue21109@psf.upfronthosting.co.za>
2014-03-31 08:14:19	Daniel.Garcia	link	issue21109 messages
2014-03-31 08:14:18	Daniel.Garcia	create