This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author jwilk
Recipients Arfrever, Daniel.Garcia, Philippe.Godbout, benjamin.peterson, christian.heimes, edulix, georg.brandl, jcea, jwilk, lars.gustaebel, martin.panter, ned.deily, r.david.murray, serhiy.storchaka, taleinat, vstinner
Date 2018-08-28.16:14:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content 
I've tested Lars's patch against my collection of sly tarballs:
https://github.com/jwilk/path-traversal-samples

SafeTarFile defeated most, but not all attacks.
It still allows directory traversal for these two tarfile:

1) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2a.tar

lrwxrwxrwx  cur -> .
lrwxrwxrwx  par -> cur/..
-rw-r--r--  par/moo

2) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2b.tar

lrwxrwxrwx  cur -> .
lrwxrwxrwx  cur/par -> ..
-rw-r--r--  par/moo
History
Date User Action Args
2018-08-28 16:14:47jwilksetrecipients: + jwilk, georg.brandl, jcea, lars.gustaebel, vstinner, taleinat, christian.heimes, benjamin.peterson, ned.deily, Arfrever, r.david.murray, martin.panter, serhiy.storchaka, edulix, Daniel.Garcia, Philippe.Godbout
2018-08-28 16:14:47jwilksetmessageid: <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
2018-08-28 16:14:47jwilklinkissue21109 messages
2018-08-28 16:14:46jwilkcreate