Message 289437 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	martin.panter
Recipients	lars.gustaebel, martin.panter, vstinner
Date	2017-03-11.05:27:53
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1489210075.97.0.226922314029.issue29788@psf.upfronthosting.co.za>
In-reply-to

Content
The CLI was added in Issue 13477. I didn’t see any discussion of traversal attacks there, so maybe it was overlooked. Perhaps there should also be a warning, like with the Tarfile.extract and “extractall” methods. However I did see one of the goals was to keep the CLI simple, which I agree with. I would suggest that the CLI get this proposed behaviour by default (matching the default behaviour of modern “tar” commands), with no option to restore the current less-robust behaviour. To implement it, I suggest to fix the module internals first: Issue 21109 and/or Issue 17102. FWIW BSD calls the option “--absolute-paths” (plural paths) <https://www.freebsd.org/cgi/man.cgi?tar%281%29#OPTIONS>, while Gnu calls it “--absolute-names” <https://www.gnu.org/software/tar/manual/html_chapter/tar_6.html#SEC121>. Both these options disable other checks, such as for parent directories (..) and external symbolic link targets, so I think the term “absolute” is too specific. But please use at least replace the underscore with a dash or hyphen: “--absolute-path”, not “--absolute_path”.

The CLI was added in Issue 13477. I didn’t see any discussion of traversal attacks there, so maybe it was overlooked. Perhaps there should also be a warning, like with the Tarfile.extract and “extractall” methods.

However I did see one of the goals was to keep the CLI simple, which I agree with. I would suggest that the CLI get this proposed behaviour by default (matching the default behaviour of modern “tar” commands), with no option to restore the current less-robust behaviour.

To implement it, I suggest to fix the module internals first: Issue 21109 and/or Issue 17102.

FWIW BSD calls the option “--absolute-paths” (plural paths) <https://www.freebsd.org/cgi/man.cgi?tar%281%29#OPTIONS>, while Gnu calls it “--absolute-names” <https://www.gnu.org/software/tar/manual/html_chapter/tar_6.html#SEC121>. Both these options disable other checks, such as for parent directories (..) and external symbolic link targets, so I think the term “absolute” is too specific. But please use at least replace the underscore with a dash or hyphen: “--absolute-path”, not “--absolute_path”.

History
Date	User	Action	Args
2017-03-11 05:27:56	martin.panter	set	recipients: + martin.panter, lars.gustaebel, vstinner
2017-03-11 05:27:55	martin.panter	set	messageid: <1489210075.97.0.226922314029.issue29788@psf.upfronthosting.co.za>
2017-03-11 05:27:55	martin.panter	link	issue29788 messages
2017-03-11 05:27:53	martin.panter	create