[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting
Michael Brown
report at bugs.python.org
Sun Feb 3 04:59:13 CET 2008
New submission from Michael Brown:
python 2.5.1
tarfile.py line 1516 in extractall()
sets directories created to world-writeable while extracting which means
an attacker can change/modify files before perms are fixed. Suggest 770
while extracting to fix.
----------
components: Library (Lib)
messages: 62016
nosy: mebrown
severity: major
status: open
title: tarfile extractall() allows local attacker to overwrite files while extracting
type: security
versions: Python 2.5
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2004>
__________________________________
More information about the Python-bugs-list
mailing list