tarfile : secure extract?

Lars Gustäbel lars at gustaebel.de
Fri Feb 12 14:21:25 EST 2016


On Thu, Feb 11, 2016 at 11:24:01PM +0000, Ulli Horlacher wrote:
> In https://docs.python.org/2/library/tarfile.html there is a warning:
> 
>   Never extract archives from untrusted sources without prior inspection.
>   It is possible that files are created outside of path, e.g. members that
>   have absolute filenames starting with "/" or filenames with two dots
>   "..". 
> 
> My program has to extract tar archives from untrusted sources :-}

Read the discussion in this issue on why this might be a bad idea:
http://bugs.python.org/issue21109

-- 
Lars Gustäbel
lars at gustaebel.de


More information about the Python-list mailing list