Author vstinner
Recipients vstinner
Date 2017-03-10.16:13:44
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1489162424.66.0.632437535873.issue29788@psf.upfronthosting.co.za>
In-reply-to
Content
I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths by default, whereas the UNIX tar command doesn't by default. The UNIX tar command requires to add explicitly --absolute-paths (-P) option.

I suggest to add a boolean absolute_path option to tarfile, disabled by default.

Example to create such archive. See that tar also removes "/" by default and requires to pass explicitly -P:

$ cd $HOME
# /home/haypo
$ echo TEST > test
$ tar -cf test.tar /home/haypo/test
tar: Removing leading `/' from member names

$ rm -f test.tar
$ tar -P -cf test.tar /home/haypo/test
$ rm -f test


Extracting such archive using tar is safe *by default*:

$ mkdir z
$ cd z
$ tar -xf ~/test.tar
tar: Removing leading `/' from member names
$ find
.
./home
./home/haypo
./home/haypo/test


Extracting such archive using Python is unsafe:

$ python3 -m tarfile -e ~/test.tar
$ cat ~/test
TEST
$ pwd
/home/haypo/z

Python creates files outside the current directory which is unsafe, wheras tar doesn't.
History
Date User Action Args
2017-03-10 16:13:44vstinnersetrecipients: + vstinner
2017-03-10 16:13:44vstinnersetmessageid: <1489162424.66.0.632437535873.issue29788@psf.upfronthosting.co.za>
2017-03-10 16:13:44vstinnerlinkissue29788 messages
2017-03-10 16:13:44vstinnercreate