Author vstinner
Recipients vstinner
Date 2017-03-10.16:13:44
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths by default, whereas the UNIX tar command doesn't by default. The UNIX tar command requires to add explicitly --absolute-paths (-P) option.

I suggest to add a boolean absolute_path option to tarfile, disabled by default.

Example to create such archive. See that tar also removes "/" by default and requires to pass explicitly -P:

$ cd $HOME
# /home/haypo
$ echo TEST > test
$ tar -cf test.tar /home/haypo/test
tar: Removing leading `/' from member names

$ rm -f test.tar
$ tar -P -cf test.tar /home/haypo/test
$ rm -f test

Extracting such archive using tar is safe *by default*:

$ mkdir z
$ cd z
$ tar -xf ~/test.tar
tar: Removing leading `/' from member names
$ find

Extracting such archive using Python is unsafe:

$ python3 -m tarfile -e ~/test.tar
$ cat ~/test
$ pwd

Python creates files outside the current directory which is unsafe, wheras tar doesn't.
Date User Action Args
2017-03-10 16:13:44vstinnersetrecipients: + vstinner
2017-03-10 16:13:44vstinnersetmessageid: <>
2017-03-10 16:13:44vstinnerlinkissue29788 messages
2017-03-10 16:13:44vstinnercreate