[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting
Lars Gustäbel
report at bugs.python.org
Tue Feb 5 11:56:46 CET 2008
Lars Gustäbel added the comment:
os.mkdir() and os.makedirs() always apply the current umask to the mode.
We cannot be responsible for poorly chosen umasks. In general, tarfile
and zipfile create directories with reasonable modes. So, IMO the
zipfile-dirperm.diff is not needed and Michael's problem depends on the
current umask.
The only exception is in TarFile._extract_member() in Python <= 2.5.x
that creates missing directories that are not part of the archive(!) and
uses os.chmod() to force a 0777 mode. That problem was addressed in
issue1507247 but only for Python 2.6 and should be backported. Although
this would change behaviour it would not cause failures.
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2004>
__________________________________
More information about the Python-bugs-list
mailing list