[New-bugs-announce] [issue6972] zipfile.ZipFile
Ralf Schmitt
report at bugs.python.org
Wed Sep 23 00:10:52 CEST 2009
New submission from Ralf Schmitt <schmir at gmail.com>:
ZipFile.extractall happily overwrites any file on the filesystem. One
can put files with a name like "//etc/password" in a zip file and
extractall will overwrite /etc/password (with sufficient rights).
The docs say:
ZipFile.extractall([path[, members[, pwd]]])
Extract all members from the archive to the current working
directory. path specifies a different directory to extract to. members
is optional and must be a subset of the list returned by namelist(). pwd
is the password used for encrypted files.
I read that as: it will put all files into path or a subdirectory.
Using names like "../../../etc/password" also leads to files being
written outside that path directory.
----------
components: Library (Lib)
messages: 93021
nosy: schmir
severity: normal
status: open
title: zipfile.ZipFile
type: security
versions: Python 2.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue6972>
_______________________________________
More information about the New-bugs-announce
mailing list