[Security-sig] Archives (.tar or .zip) with absolute paths
Wes Turner
wes.turner at gmail.com
Thu Mar 9 19:52:42 EST 2017
On Thursday, March 9, 2017, Victor Stinner <victor.stinner at gmail.com> wrote:
> Hi,
>
> I'm sorry Wes, but I don't understand your long list of urls :-( Can
> you elaborate?
I thought that's what I was doing?
>
> I'm asking if there is a reason for allowing absolute paths by
> default. Maybe backward compatibility?
I think secure by default would be good here.
>
>
> 2017-03-09 20:33 GMT+01:00 Wes Turner <wes.turner at gmail.com <javascript:;>
> >:
> > Docs: https://docs.python.org/3/library/tarfile.html
>
> I didn't write a private email to security@ because as you pointed,
> the issue is known and *documented* in Python since 10 years.
Doesn't mean it's not broken
>
>
> > https://python-security.readthedocs.io/
>
> I wrote this doc :-) I just added notes about tarfile and zipfile.
The [ ] wiki links could also be useful
>
> Victor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170309/ecbf5674/attachment.html>
More information about the Security-SIG
mailing list