Author jwilk
Recipients Arfrever, Daniel.Garcia, Philippe.Godbout, benjamin.peterson, christian.heimes, edulix, georg.brandl, jcea, jwilk, lars.gustaebel, martin.panter, ned.deily, r.david.murray, serhiy.storchaka, taleinat, vstinner
Date 2018-08-28.16:14:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
In-reply-to
Content
I've tested Lars's patch against my collection of sly tarballs:
https://github.com/jwilk/path-traversal-samples

SafeTarFile defeated most, but not all attacks.
It still allows directory traversal for these two tarfile:

1) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2a.tar

lrwxrwxrwx  cur -> .
lrwxrwxrwx  par -> cur/..
-rw-r--r--  par/moo

2) https://github.com/jwilk/path-traversal-samples/releases/download/0/dirsymlink2b.tar

lrwxrwxrwx  cur -> .
lrwxrwxrwx  cur/par -> ..
-rw-r--r--  par/moo
History
Date User Action Args
2018-08-28 16:14:47jwilksetrecipients: + jwilk, georg.brandl, jcea, lars.gustaebel, vstinner, taleinat, christian.heimes, benjamin.peterson, ned.deily, Arfrever, r.david.murray, martin.panter, serhiy.storchaka, edulix, Daniel.Garcia, Philippe.Godbout
2018-08-28 16:14:47jwilksetmessageid: <1535472887.04.0.56676864532.issue21109@psf.upfronthosting.co.za>
2018-08-28 16:14:47jwilklinkissue21109 messages
2018-08-28 16:14:46jwilkcreate