CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')
https://cwe.mitre.org/top25/#CWE-22
http://cwe.mitre.org/data/definitions/22.html- [ ] BUG,SEC: -P/--absolute-names *13* *CWE-22 <http://cwe.mitre.org/data/definitions/22.html>: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')* CWE CATEGORY 21: Pathname Traversal and Equivalence Errors https://cwe.mitre.org/data/definitions/21.html https://cwe.mitre.org/data/definitions/21.html#Relationships ... CWE 59: "Improper Link Resolution Before File Access ('Link Following')" https://cwe.mitre.org/data/definitions/59.html - [ ] ? BUG,SEC: symlinks? Docs: https://docs.python.org/3/library/tarfile.html - https://github.com/python/cpython/blob/2.6/Doc/library/tarfile.rst - https://github.com/python/cpython/blob/3.6/Doc/library/tarfile.rst - https://github.com/python/cpython/blob/master/Doc/library/tarfile.rst Src: https://github.com/python/cpython/blob/master/Lib/tarfile.py - https://github.com/python/cpython/blob/2.6/Lib/tarfile.py - https://github.com/python/cpython/blob/3.6/Lib/tarfile.py https://www.python.org/news/security/#reporting-security-issues-in-python - https://docs.python.org/devguide/documenting.html#security-considerations-and-other-concerns - https://cpython-devguide.readthedocs.io/documenting.html#security-considerations-and-other-concerns - [o] email to: secur...@python.org - [ ] Create an issue: https://bugs.python.org/ - [ ] Create a pull request: https://docs.python.org/devguide/pullrequest.html - [ ] DOC: - [ ] BUG,ENH,SEC: `python -m tarfile -P/--absolute-names` - [ ] BUG,ENH,SEC: `python -m tarfile -h/--dereference --hard-dereference` - [ ] bandit test(s): https://github.com/openstack/bandit#writing-tests - [ ] Python API - [ ] - [ ] python -m tarfile - [ ] someone to lead on this because I am actually looking for a job ... https://python-security.readthedocs.io/ - Src: https://github.com/haypo/python-security/blob/master/index.rst - [ ] https://github.com/ebranca/owasp-pysec/wiki - [ ] https://github.com/ebranca/owasp-pysec/wiki/Security-Concerns-in-modules-and-functions On Thu, Mar 9, 2017 at 11:37 AM, Victor Stinner <victor.stin...@gmail.com> wrote: > Hi, > > I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths > by default, whereas the UNIX tar command doesn't by default. The UNIX > tar command requires to add explicitly --absolute-paths (-P) option. > > The tarfile and zipfile modules (maybe also some others, I didn't > check) contain warnings absolute paths and paths containing "..". > > Why not ignoring "/" at start of filenames *by default*? By backward > compatibility? > > I suggest to add a boolean absolute_path option to tarfile and zipfile > and disable it by default in the CLI. The question is what should be > the default value for the Python API. I suggest to use > absolute_path=False by default for safety. > > > Example to create such archive. See that tar also removes "/" by > default and requires to pass explicitly -P: > > $ cd $HOME > # /home/haypo > $ echo TEST > test > $ tar -cf test.tar /home/haypo/test > tar: Removing leading `/' from member names > > $ rm -f test.tar > $ tar -P -cf test.tar /home/haypo/test > $ rm -f test > > > Extracting such archive using tar is safe *by default*: > > $ mkdir z > $ cd z > $ tar -xf ~/test.tar > tar: Removing leading `/' from member names > $ find > . > ./home > ./home/haypo > ./home/haypo/test > > > Extracting such archive using Python is unsafe: > > $ python3 -m tarfile -e ~/test.tar > $ cat ~/test > TEST > $ pwd > /home/haypo/z > > Python creates files outside the current directory which is unsafe, > wheras tar doesn't. > > Victor > _______________________________________________ > Security-SIG mailing list > Security-SIG@python.org > https://mail.python.org/mailman/listinfo/security-sig >
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
