Re: tarfile : secure extract?
On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote: > A better approach would be to rename such files while extracting. > Is this possible? What happens if you change member.name before extracting? -- https://mail.python.org/mailman/listinfo/python-list
Re: tarfile : secure extract?
On Thu, Feb 11, 2016 at 11:24:01PM +, Ulli Horlacher wrote: > In https://docs.python.org/2/library/tarfile.html there is a warning: > > Never extract archives from untrusted sources without prior inspection. > It is possible that files are created outside of path, e.g. members that > have absolute filenames starting with "/" or filenames with two dots > "..". > > My program has to extract tar archives from untrusted sources :-} Read the discussion in this issue on why this might be a bad idea: http://bugs.python.org/issue21109 -- Lars Gustäbel l...@gustaebel.de -- https://mail.python.org/mailman/listinfo/python-list
Re: tarfile : secure extract?
Random832wrote: > On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote: > > A better approach would be to rename such files while extracting. > > Is this possible? > > What happens if you change member.name before extracting? Ohh... such an easy solution! :-) -- Ullrich Horlacher Server und Virtualisierung Rechenzentrum IZUS/TIK E-Mail: horlac...@tik.uni-stuttgart.de Universitaet Stuttgart Tel:++49-711-68565868 Allmandring 30aFax:++49-711-682357 70550 Stuttgart (Germany) WWW:http://www.tik.uni-stuttgart.de/ -- https://mail.python.org/mailman/listinfo/python-list
tarfile : secure extract?
In https://docs.python.org/2/library/tarfile.html there is a warning: Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". My program has to extract tar archives from untrusted sources :-} So far, I ignore files with dangerous pathnames: for member in taro.getmembers(): file = member.name if match(r'^(?i)([a-z]:)?(\.\.)?[/\\]',file): print('ignoring "%s"' % file) else: print('extracting "%s"' % file) taro.extract(member) A better approach would be to rename such files while extracting. Is this possible? -- Ullrich Horlacher Server und Virtualisierung Rechenzentrum IZUS/TIK E-Mail: horlac...@tik.uni-stuttgart.de Universitaet Stuttgart Tel:++49-711-68565868 Allmandring 30aFax:++49-711-682357 70550 Stuttgart (Germany) WWW:http://www.tik.uni-stuttgart.de/ -- https://mail.python.org/mailman/listinfo/python-list