Message215222
The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.
I've view this vulnerability in libtar:
http://lwn.net/Vulnerabilities/587141/
I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack. |
|
Date |
User |
Action |
Args |
2014-03-31 08:14:19 | Daniel.Garcia | set | recipients:
+ Daniel.Garcia |
2014-03-31 08:14:19 | Daniel.Garcia | set | messageid: <1396253659.12.0.842636239516.issue21109@psf.upfronthosting.co.za> |
2014-03-31 08:14:19 | Daniel.Garcia | link | issue21109 messages |
2014-03-31 08:14:18 | Daniel.Garcia | create | |
|