Author larry
Recipients Daniel.Garcia, benjamin.peterson, christian.heimes, georg.brandl, larry, lars.gustaebel, ned.deily, r.david.murray, serhiy.storchaka, vstinner
Date 2014-04-06.14:51:56
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1396795916.82.0.218573630706.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content
Thank you Lars for your thorough reply.

While I agree that this isn't a release blocker, as it was clearly designed to behave this way... it seems to me that it wouldn't take much to make the tarfile module a lot safer.  Specifically:

  * Don't allow creating files whose absolute path is not under the
    destination.
  * Don't allow creating links (hard or soft) which link to a path
    outside of the destination.
  * Don't create device nodes.

This would fix your listed attacks 1-6.  The remaining attacks you cite are denial-of-service attacks; while they're undesirable, they shouldn't compromise the security of the machine.  (I suppose we could even address those, adding "reasonable" quotas for disk space and number of files.)

I doubt that would make tarfile secure.  But maybe "practicality beats purity"?
History
Date User Action Args
2014-04-06 14:51:56larrysetrecipients: + larry, georg.brandl, lars.gustaebel, vstinner, christian.heimes, benjamin.peterson, ned.deily, r.david.murray, serhiy.storchaka, Daniel.Garcia
2014-04-06 14:51:56larrysetmessageid: <1396795916.82.0.218573630706.issue21109@psf.upfronthosting.co.za>
2014-04-06 14:51:56larrylinkissue21109 messages
2014-04-06 14:51:56larrycreate