[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting
Alan McIntyre
report at bugs.python.org
Sun Feb 3 06:29:03 CET 2008
Alan McIntyre added the comment:
I noticed that in the trunk, ZipFile._extract_member, at line 865, still
uses 777 (the default of os.makedirs) to create directories. I attached
a patch for it.
A quick grep shows that tarfile still uses the default permissions for
os.makedirs and mkdir. Should these all be changed to 700?
----------
nosy: +alanmcintyre
Added file: http://bugs.python.org/file9351/zipfile-dirperm.diff
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2004>
__________________________________
More information about the Python-bugs-list
mailing list