This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author jwilk
Recipients Arfrever, Daniel.Garcia, Philippe.Godbout, benjamin.peterson, christian.heimes, edulix, georg.brandl, jcea, jwilk, lars.gustaebel, martin.panter, ned.deily, r.david.murray, serhiy.storchaka, taleinat, vstinner
Date 2018-08-28.16:14:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I've tested Lars's patch against my collection of sly tarballs:

SafeTarFile defeated most, but not all attacks.
It still allows directory traversal for these two tarfile:


lrwxrwxrwx  cur -> .
lrwxrwxrwx  par -> cur/..
-rw-r--r--  par/moo


lrwxrwxrwx  cur -> .
lrwxrwxrwx  cur/par -> ..
-rw-r--r--  par/moo
Date User Action Args
2018-08-28 16:14:47jwilksetrecipients: + jwilk, georg.brandl, jcea, lars.gustaebel, vstinner, taleinat, christian.heimes, benjamin.peterson, ned.deily, Arfrever, r.david.murray, martin.panter, serhiy.storchaka, edulix, Daniel.Garcia, Philippe.Godbout
2018-08-28 16:14:47jwilksetmessageid: <>
2018-08-28 16:14:47jwilklinkissue21109 messages
2018-08-28 16:14:46jwilkcreate