Message 55361 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lars.gustaebel
Recipients	lars.gustaebel, matejcik
Date	2007-08-28.10:09:22
SpamBayes Score	0.17605798
Marked as misclassified	No
Message-id	<1188295764.62.0.164889561412.issue1044@psf.upfronthosting.co.za>
In-reply-to

Content
tarfile does not check pathnames or linknames on extraction. This can lead to data loss or attack scenarios when members with absolute pathnames or pathnames outside of the archive's scope overwrite or overlay existing files or directories. Example for a symlink attack against /etc/passwd: foo -> /etc foo/passwd

tarfile does not check pathnames or linknames on extraction. This can
lead to data loss or attack scenarios when members with absolute
pathnames or pathnames outside of the archive's scope overwrite or
overlay existing files or directories.

Example for a symlink attack against /etc/passwd:

foo -> /etc
foo/passwd

Files
File name	Uploaded
insecure_pathnames.diff	lars.gustaebel, 2007-08-28.10:09:22

History
Date	User	Action	Args
2007-08-28 10:09:25	lars.gustaebel	set	spambayes_score: 0.176058 -> 0.17605798 recipients: + lars.gustaebel, matejcik
2007-08-28 10:09:24	lars.gustaebel	set	spambayes_score: 0.176058 -> 0.176058 messageid: <1188295764.62.0.164889561412.issue1044@psf.upfronthosting.co.za>
2007-08-28 10:09:24	lars.gustaebel	link	issue1044 messages
2007-08-28 10:09:24	lars.gustaebel	create