Message93305
My working solution is to iterate through members, and ensuring that
os.path.abspath(os.path.join(path, member)) always .startswith(path).
This seems like a better solution than trying to trap on a pattern in
the string. Presumably the same fix can be made to tarfile.
For what it's worth, OS X's BOMArchiveManager will place a file stored
as '../foo.txt' in the extract path, not the directory right outside it.
While we're on the topic, there may also be a bug in this, or the
tarfile package that would allow a malicious archive to extract a
symlink to an existing directory somewhere on the target machine, and
files extracted to that symlink. I haven't really thought that through,
but I'm sure that my fix won't correct that possible issue. |
|
Date |
User |
Action |
Args |
2009-09-29 17:20:09 | twb | set | recipients:
+ twb, amaury.forgeotdarc, schmir |
2009-09-29 17:20:09 | twb | set | messageid: <1254244809.86.0.528071888958.issue6972@psf.upfronthosting.co.za> |
2009-09-29 17:20:08 | twb | link | issue6972 messages |
2009-09-29 17:20:07 | twb | create | |
|