Author Daniel.Garcia
Recipients Daniel.Garcia
Date 2014-03-31.08:14:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1396253659.12.0.842636239516.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content
The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.

I've view this vulnerability in libtar:
http://lwn.net/Vulnerabilities/587141/
I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack.
History
Date User Action Args
2014-03-31 08:14:19Daniel.Garciasetrecipients: + Daniel.Garcia
2014-03-31 08:14:19Daniel.Garciasetmessageid: <1396253659.12.0.842636239516.issue21109@psf.upfronthosting.co.za>
2014-03-31 08:14:19Daniel.Garcialinkissue21109 messages
2014-03-31 08:14:18Daniel.Garciacreate