Message289388
I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths by default, whereas the UNIX tar command doesn't by default. The UNIX tar command requires to add explicitly --absolute-paths (-P) option.
I suggest to add a boolean absolute_path option to tarfile, disabled by default.
Example to create such archive. See that tar also removes "/" by default and requires to pass explicitly -P:
$ cd $HOME
# /home/haypo
$ echo TEST > test
$ tar -cf test.tar /home/haypo/test
tar: Removing leading `/' from member names
$ rm -f test.tar
$ tar -P -cf test.tar /home/haypo/test
$ rm -f test
Extracting such archive using tar is safe *by default*:
$ mkdir z
$ cd z
$ tar -xf ~/test.tar
tar: Removing leading `/' from member names
$ find
.
./home
./home/haypo
./home/haypo/test
Extracting such archive using Python is unsafe:
$ python3 -m tarfile -e ~/test.tar
$ cat ~/test
TEST
$ pwd
/home/haypo/z
Python creates files outside the current directory which is unsafe, wheras tar doesn't. |
|
Date |
User |
Action |
Args |
2017-03-10 16:13:44 | vstinner | set | recipients:
+ vstinner |
2017-03-10 16:13:44 | vstinner | set | messageid: <1489162424.66.0.632437535873.issue29788@psf.upfronthosting.co.za> |
2017-03-10 16:13:44 | vstinner | link | issue29788 messages |
2017-03-10 16:13:44 | vstinner | create | |
|