[Python-Dev] tarfile and directory traversal vulnerability

"Martin v. Löwis" martin at v.loewis.de
Sat Aug 25 00:38:14 CEST 2007

> The vulnerability goes basically like this: If you tar a file named
> "../../../../../etc/passwd" and then make the admin untar it,
> /etc/passwd gets overwritten.
> Another variety of this bug is a symlink one: if tar contains files like:
> ./aaaa-directory -> /etc
> ./aaaa-directory/passwd
> then the "aaaa-directory" symlink would be created first and /etc/passwd
> will be overwritten once again.

I must admit I fail to see the bug. If root untars a file, and that tar
file contains an instruction to overwrite /etc/passwd, why is an error
to execute that instruction? Shouldn't root just be more careful when
untaring files?

> if tarinfo.name.startswith('../'):
>     self.extract(tarinfo, path)
> else:
>     warnings.warn("non-local file skipped: %s" % tarinfo.name,
> RuntimeWarning, stacklevel=1)

Ok. You seem to be claiming that the tarfile is incorrect in some
sense. Can you please point to some spec that says this is an incorrect

In any case, if you fix what you consider broken, you should do
it exactly the same way as GNU tar does it (assuming you consider
GNU tar fixed).


More information about the Python-Dev mailing list