Message 55464 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lars.gustaebel
Recipients	lars.gustaebel, matejcik
Date	2007-08-30.08:03:24
SpamBayes Score	0.17612593
Marked as misclassified	No
Message-id	<1188461005.29.0.39932624847.issue1044@psf.upfronthosting.co.za>
In-reply-to

Content
After careful consideration and a private discussion with Martin I do no longer think that we have a security issue here. tarfile.py does nothing wrong, its behaviour conforms to the pax definition and pathname resolution guidelines in POSIX. There is no known or possible practical exploit. I update the documentation with a warning, that it might be dangerous to extract archives from untrusted sources. That is the only thing to be done IMO.

After careful consideration and a private discussion with Martin I do no
longer think that we have a security issue here. tarfile.py does nothing
wrong, its behaviour conforms to the pax definition and pathname
resolution guidelines in POSIX. There is no known or possible practical
exploit.

I update the documentation with a warning, that it might be dangerous to
extract archives from untrusted sources. That is the only thing to be
done IMO.

History
Date	User	Action	Args
2007-08-30 08:03:25	lars.gustaebel	set	spambayes_score: 0.176126 -> 0.17612593 recipients: + lars.gustaebel, matejcik
2007-08-30 08:03:25	lars.gustaebel	set	spambayes_score: 0.176126 -> 0.176126 messageid: <1188461005.29.0.39932624847.issue1044@psf.upfronthosting.co.za>
2007-08-30 08:03:25	lars.gustaebel	link	issue1044 messages
2007-08-30 08:03:24	lars.gustaebel	create