[Python-Dev] tarfile and directory traversal vulnerability

Jan Matejek jmatejek at suse.cz
Mon Aug 27 19:35:32 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin v. Löwis wrote:
> I must admit I fail to see the bug. If root untars a file, and that tar
> file contains an instruction to overwrite /etc/passwd, why is an error
> to execute that instruction? Shouldn't root just be more careful when
> untaring files?

GNU tar is not supposed to place files outside its working directory,
unless explicitly specified otherwise. So this is considered a security
vulnerability.

AFAIK there is no specified behavior and other tars might act
differently. But i think GNU tar behaves correctly in this regard.

Furthermore, extract() and extractall() documentation says "Extract
(...) from the archive to the *current working directory* or directory
[path]."
So current behavior is actually inconsistent with the documentation.

>> if tarinfo.name.startswith('../'):
>>     self.extract(tarinfo, path)
>> else:
>>     warnings.warn("non-local file skipped: %s" % tarinfo.name,
>> RuntimeWarning, stacklevel=1)
> 
> Ok. You seem to be claiming that the tarfile is incorrect in some
> sense. Can you please point to some spec that says this is an incorrect
> tarfile?

No, the tar file itself is correct, according to POSIX. You can put
anything into a tar. Point is, you should be able to untar any file
'safely'.

> In any case, if you fix what you consider broken, you should do
> it exactly the same way as GNU tar does it (assuming you consider
> GNU tar fixed).

I can do that.
I would propose an optional parameter for extract() and extractall(),
absolutePaths, defaulting to False. When encountering a non-local file,
it would strip the leading slash or the path up to the last '../'
sequence (that is what GNU tar does) and extract the file locally.
Setting absolutePaths to True would restore current behavior (no checks).

regards,
jan matejek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFG0wtkjBrWA+AvBr8RAmmnAKCtpYYoFZYaNwba2WW11NtRuCyqhwCePkFw
9M2pKHtu0O62fAYfb8NTm3A=
=yfVK
-----END PGP SIGNATURE-----

More information about the Python-Dev mailing list