[Python-Dev] tarfile and directory traversal vulnerability

"Martin v. Löwis" martin at v.loewis.de
Tue Aug 28 17:46:09 CEST 2007


> GNU tar is not supposed to place files outside its working directory,
> unless explicitly specified otherwise. So this is considered a security
> vulnerability.

So that's a vulnerability in GNU tar, sure - it does something that it
is not supposed to do.

But why is there also a vulnerability in tarfile.py? It does very well
what it is supposed to do.

> AFAIK there is no specified behavior and other tars might act
> differently. 

I think you are mistaken here. POSIX specifies something (although
I'm uncertain what precisely) for pax(1); this ended the tar wars.

> Furthermore, extract() and extractall() documentation says "Extract
> (...) from the archive to the *current working directory* or directory
> [path]."
> So current behavior is actually inconsistent with the documentation.

Ok. However, what does it mean to create a file with an absolute path
in the current directory?

Also, it's fairly easy to see what creating "../foo" should do when
done in the current directory: create a sibling of the current
directory.

> No, the tar file itself is correct, according to POSIX. You can put
> anything into a tar. Point is, you should be able to untar any file
> 'safely'.

I see, you are asking for an option. If people want to have this option,
it should be added.

Then, of course, the question is what default it should take.

Regards,
Martin


More information about the Python-Dev mailing list