This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Daniel.Garcia
Recipients Daniel.Garcia
Date 2014-03-31.08:14:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.

I've view this vulnerability in libtar:
I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack.
Date User Action Args
2014-03-31 08:14:19Daniel.Garciasetrecipients: + Daniel.Garcia
2014-03-31 08:14:19Daniel.Garciasetmessageid: <>
2014-03-31 08:14:19Daniel.Garcialinkissue21109 messages
2014-03-31 08:14:18Daniel.Garciacreate