[New-bugs-announce] [issue21109] tarfile: Traversal attack vulnerability

Daniel Garcia report at bugs.python.org
Mon Mar 31 10:14:19 CEST 2014


New submission from Daniel Garcia:

The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.

I've view this vulnerability in libtar:
http://lwn.net/Vulnerabilities/587141/
I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack.

----------
components: Library (Lib)
files: prevent-tar-traversal-attack.diff
keywords: patch
messages: 215222
nosy: Daniel.Garcia
priority: normal
severity: normal
status: open
title: tarfile: Traversal attack vulnerability
type: security
versions: Python 3.5
Added file: http://bugs.python.org/file34676/prevent-tar-traversal-attack.diff

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21109>
_______________________________________


More information about the New-bugs-announce mailing list