[issue21109] tarfile: Traversal attack vulnerability
Ashwin Ramaswami
report at bugs.python.org
Tue Aug 13 12:40:24 EDT 2019
Ashwin Ramaswami <aramaswamis at gmail.com> added the comment:
SafeTarFile does not pass the existing tests, mainly because the existing file Lib/test/tarfiletestdata/testtar.tar seems to be "unsafe", producing errors like these:
tarfile.SecurityError: <TarInfo 'ustar/blktype' at 0x7fb9119b3bb0>: block device
tarfile.SecurityError: <TarInfo 'ustar/regtype' at 0x7fb9119b3910>: duplicate name
It seems like the solution here is to remove block devices and duplicate names from testtar.tar. However, is this desirable -- do we need to keep these in for the tests for TarFile?
----------
versions: +Python 3.9 -Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue21109>
_______________________________________
More information about the Python-bugs-list
mailing list