Re: tarfile : secure extract?

2016-02-12 Thread Random832 
On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote:
> A better approach would be to rename such files while extracting.
> Is this possible?

What happens if you change member.name before extracting?
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: tarfile : secure extract?

2016-02-12 Thread Lars Gustäbel 
On Thu, Feb 11, 2016 at 11:24:01PM +, Ulli Horlacher wrote:
> In https://docs.python.org/2/library/tarfile.html there is a warning:
> 
>   Never extract archives from untrusted sources without prior inspection.
>   It is possible that files are created outside of path, e.g. members that
>   have absolute filenames starting with "/" or filenames with two dots
>   "..". 
> 
> My program has to extract tar archives from untrusted sources :-}

Read the discussion in this issue on why this might be a bad idea:
http://bugs.python.org/issue21109

-- 
Lars Gustäbel
l...@gustaebel.de
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: tarfile : secure extract?

2016-02-12 Thread Ulli Horlacher 
Random832  wrote:
> On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote:
> > A better approach would be to rename such files while extracting.
> > Is this possible?
> 
> What happens if you change member.name before extracting?

Ohh... such an easy solution! :-)

-- 
Ullrich Horlacher  Server und Virtualisierung
Rechenzentrum IZUS/TIK E-Mail: horlac...@tik.uni-stuttgart.de
Universitaet Stuttgart Tel:++49-711-68565868
Allmandring 30aFax:++49-711-682357
70550 Stuttgart (Germany)  WWW:http://www.tik.uni-stuttgart.de/
-- 
https://mail.python.org/mailman/listinfo/python-list

tarfile : secure extract?

2016-02-11 Thread Ulli Horlacher 
In https://docs.python.org/2/library/tarfile.html there is a warning:

  Never extract archives from untrusted sources without prior inspection.
  It is possible that files are created outside of path, e.g. members that
  have absolute filenames starting with "/" or filenames with two dots
  "..". 


My program has to extract tar archives from untrusted sources :-}

So far, I ignore files with dangerous pathnames:

  for member in taro.getmembers():
file = member.name
if match(r'^(?i)([a-z]:)?(\.\.)?[/\\]',file):
  print('ignoring "%s"' % file)
else:
  print('extracting "%s"' % file)
  taro.extract(member)


A better approach would be to rename such files while extracting.
Is this possible?


-- 
Ullrich Horlacher  Server und Virtualisierung
Rechenzentrum IZUS/TIK E-Mail: horlac...@tik.uni-stuttgart.de
Universitaet Stuttgart Tel:++49-711-68565868
Allmandring 30aFax:++49-711-682357
70550 Stuttgart (Germany)  WWW:http://www.tik.uni-stuttgart.de/
-- 
https://mail.python.org/mailman/listinfo/python-list