Author twb
Recipients amaury.forgeotdarc, schmir, twb
Date 2009-09-29.17:20:07
SpamBayes Score 6.81238e-12
Marked as misclassified No
Message-id <1254244809.86.0.528071888958.issue6972@psf.upfronthosting.co.za>
In-reply-to
Content
My working solution is to iterate through members, and ensuring that
os.path.abspath(os.path.join(path, member)) always .startswith(path).
This seems like a better solution than trying to trap on a pattern in
the string. Presumably the same fix can be made to tarfile.

For what it's worth, OS X's BOMArchiveManager will place a file stored
as '../foo.txt' in the extract path, not the directory right outside it.

While we're on the topic, there may also be a bug in this, or the
tarfile package that would allow a malicious archive to extract a
symlink to an existing directory somewhere on the target machine, and
files extracted to that symlink. I haven't really thought that through,
but I'm sure that my fix won't correct that possible issue.
History
Date User Action Args
2009-09-29 17:20:09twbsetrecipients: + twb, amaury.forgeotdarc, schmir
2009-09-29 17:20:09twbsetmessageid: <1254244809.86.0.528071888958.issue6972@psf.upfronthosting.co.za>
2009-09-29 17:20:08twblinkissue6972 messages
2009-09-29 17:20:07twbcreate