-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin v. Löwis wrote:
> I must admit I fail to see the bug. If root untars a file, and that tar
> file contains an instruction to overwrite /etc/passwd, why is an error
> to execute that instruction? Shouldn't root just be more careful when
> untaring files?
GNU tar is not supposed to place files outside its working directory,
unless explicitly specified otherwise. So this is considered a security
vulnerability.
AFAIK there is no specified behavior and other tars might act
differently. But i think GNU tar behaves correctly in this regard.
Furthermore, extract() and extractall() documentation says "Extract
(...) from the archive to the *current working directory* or directory
[path]."
So current behavior is actually inconsistent with the documentation.
>> if tarinfo.name.startswith('../'):
>> self.extract(tarinfo, path)
>> else:
>> warnings.warn("non-local file skipped: %s" % tarinfo.name,
>> RuntimeWarning, stacklevel=1)
>
> Ok. You seem to be claiming that the tarfile is incorrect in some
> sense. Can you please point to some spec that says this is an incorrect
> tarfile?
No, the tar file itself is correct, according to POSIX. You can put
anything into a tar. Point is, you should be able to untar any file
'safely'.
> In any case, if you fix what you consider broken, you should do
> it exactly the same way as GNU tar does it (assuming you consider
> GNU tar fixed).
I can do that.
I would propose an optional parameter for extract() and extractall(),
absolutePaths, defaulting to False. When encountering a non-local file,
it would strip the leading slash or the path up to the last '../'
sequence (that is what GNU tar does) and extract the file locally.
Setting absolutePaths to True would restore current behavior (no checks).
regards,
jan matejek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFG0wtkjBrWA+AvBr8RAmmnAKCtpYYoFZYaNwba2WW11NtRuCyqhwCePkFw
9M2pKHtu0O62fAYfb8NTm3A=
=yfVK
-----END PGP SIGNATURE-----
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
