Message215237
Yes, this behavior is documented, but still it is desirable to fix it. The tar utility has a lot of switches which controls extracting and by default it prevents three ways of attack (absolute names, '..' and symlinks), but there are other possible ways of attack. This is complex issue and I'm working on it. See also issue19974.
In any case we should be very careful because every protection against attack changes a behavior (which can be safe if you know what you do), so perhaps we should add parameters which controls behavior. This is possible only in new Python version. |
|
Date |
User |
Action |
Args |
2014-03-31 13:26:45 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, georg.brandl, lars.gustaebel, vstinner, larry, christian.heimes, benjamin.peterson, ned.deily, Daniel.Garcia |
2014-03-31 13:26:45 | serhiy.storchaka | set | messageid: <1396272405.12.0.728274102316.issue21109@psf.upfronthosting.co.za> |
2014-03-31 13:26:45 | serhiy.storchaka | link | issue21109 messages |
2014-03-31 13:26:44 | serhiy.storchaka | create | |
|