tarfile : secure extract?

Ulli Horlacher framstag at rus.uni-stuttgart.de
Thu Feb 11 18:24:01 EST 2016


In https://docs.python.org/2/library/tarfile.html there is a warning:

  Never extract archives from untrusted sources without prior inspection.
  It is possible that files are created outside of path, e.g. members that
  have absolute filenames starting with "/" or filenames with two dots
  "..". 


My program has to extract tar archives from untrusted sources :-}

So far, I ignore files with dangerous pathnames:

  for member in taro.getmembers():
    file = member.name
    if match(r'^(?i)([a-z]:)?(\.\.)?[/\\]',file):
      print('ignoring "%s"' % file)
    else:
      print('extracting "%s"' % file)
      taro.extract(member)


A better approach would be to rename such files while extracting.
Is this possible?


-- 
Ullrich Horlacher              Server und Virtualisierung
Rechenzentrum IZUS/TIK         E-Mail: horlacher at tik.uni-stuttgart.de
Universitaet Stuttgart         Tel:    ++49-711-68565868
Allmandring 30a                Fax:    ++49-711-682357
70550 Stuttgart (Germany)      WWW:    http://www.tik.uni-stuttgart.de/


More information about the Python-list mailing list