On Thu, Mar 9, 2017 at 9:37 AM, Victor Stinner <victor.stin...@gmail.com> wrote: > Hi, > > I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths > by default, whereas the UNIX tar command doesn't by default. The UNIX > tar command requires to add explicitly --absolute-paths (-P) option. > > The tarfile and zipfile modules (maybe also some others, I didn't > check) contain warnings absolute paths and paths containing "..". > > Why not ignoring "/" at start of filenames *by default*? By backward > compatibility? > > I suggest to add a boolean absolute_path option to tarfile and zipfile > and disable it by default in the CLI. The question is what should be > the default value for the Python API. I suggest to use > absolute_path=False by default for safety.
This sounds like the right default to me. Technically there's some backwards compatibility risk, but tarfiles and zipfiles with absolute paths are really rare and this behavior is really dangerous (unpacking a file gives the person who created the file the ability to overwrite arbitrary files on your computer), so it's unlikely that much will break and what does break was likely a huge security hole in the first place. -n -- Nathaniel J. Smith -- https://vorpus.org _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
