> GNU tar is not supposed to place files outside its working directory, > unless explicitly specified otherwise. So this is considered a security > vulnerability.
So that's a vulnerability in GNU tar, sure - it does something that it is not supposed to do. But why is there also a vulnerability in tarfile.py? It does very well what it is supposed to do. > AFAIK there is no specified behavior and other tars might act > differently. I think you are mistaken here. POSIX specifies something (although I'm uncertain what precisely) for pax(1); this ended the tar wars. > Furthermore, extract() and extractall() documentation says "Extract > (...) from the archive to the *current working directory* or directory > [path]." > So current behavior is actually inconsistent with the documentation. Ok. However, what does it mean to create a file with an absolute path in the current directory? Also, it's fairly easy to see what creating "../foo" should do when done in the current directory: create a sibling of the current directory. > No, the tar file itself is correct, according to POSIX. You can put > anything into a tar. Point is, you should be able to untar any file > 'safely'. I see, you are asking for an option. If people want to have this option, it should be added. Then, of course, the question is what default it should take. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
