This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients Daniel.Garcia, benjamin.peterson, christian.heimes, georg.brandl, larry, lars.gustaebel, ned.deily, serhiy.storchaka, vstinner
Date 2014-03-31.13:26:44
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1396272405.12.0.728274102316.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content 
Yes, this behavior is documented, but still it is desirable to fix it. The tar utility has a lot of switches which controls extracting and by default it prevents three ways of attack (absolute names, '..' and symlinks), but there are other possible ways of attack. This is complex issue and I'm working on it. See also issue19974.

In any case we should be very careful because every protection against attack changes a behavior (which can be safe if you know what you do), so perhaps we should add parameters which controls behavior. This is possible only in new Python version.
History
Date User Action Args
2014-03-31 13:26:45serhiy.storchakasetrecipients: + serhiy.storchaka, georg.brandl, lars.gustaebel, vstinner, larry, christian.heimes, benjamin.peterson, ned.deily, Daniel.Garcia
2014-03-31 13:26:45serhiy.storchakasetmessageid: <1396272405.12.0.728274102316.issue21109@psf.upfronthosting.co.za>
2014-03-31 13:26:45serhiy.storchakalinkissue21109 messages
2014-03-31 13:26:44serhiy.storchakacreate