tarfile : secure extract?
Lars Gustäbel
lars at gustaebel.de
Fri Feb 12 14:21:25 EST 2016
On Thu, Feb 11, 2016 at 11:24:01PM +0000, Ulli Horlacher wrote:
> In https://docs.python.org/2/library/tarfile.html there is a warning:
>
> Never extract archives from untrusted sources without prior inspection.
> It is possible that files are created outside of path, e.g. members that
> have absolute filenames starting with "/" or filenames with two dots
> "..".
>
> My program has to extract tar archives from untrusted sources :-}
Read the discussion in this issue on why this might be a bad idea:
http://bugs.python.org/issue21109
--
Lars Gustäbel
lars at gustaebel.de
More information about the Python-list
mailing list