tarfile : secure extract?
Ulli Horlacher
framstag at rus.uni-stuttgart.de
Thu Feb 11 18:24:01 EST 2016
In https://docs.python.org/2/library/tarfile.html there is a warning:
Never extract archives from untrusted sources without prior inspection.
It is possible that files are created outside of path, e.g. members that
have absolute filenames starting with "/" or filenames with two dots
"..".
My program has to extract tar archives from untrusted sources :-}
So far, I ignore files with dangerous pathnames:
for member in taro.getmembers():
file = member.name
if match(r'^(?i)([a-z]:)?(\.\.)?[/\\]',file):
print('ignoring "%s"' % file)
else:
print('extracting "%s"' % file)
taro.extract(member)
A better approach would be to rename such files while extracting.
Is this possible?
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum IZUS/TIK E-Mail: horlacher at tik.uni-stuttgart.de
Universitaet Stuttgart Tel: ++49-711-68565868
Allmandring 30a Fax: ++49-711-682357
70550 Stuttgart (Germany) WWW: http://www.tik.uni-stuttgart.de/
More information about the Python-list
mailing list