[issue1044] tarfile insecure pathname extraction
Lars Gustäbel
report at bugs.python.org
Thu Aug 30 10:03:25 CEST 2007
Lars Gustäbel added the comment:
After careful consideration and a private discussion with Martin I do no
longer think that we have a security issue here. tarfile.py does nothing
wrong, its behaviour conforms to the pax definition and pathname
resolution guidelines in POSIX. There is no known or possible practical
exploit.
I update the documentation with a warning, that it might be dangerous to
extract archives from untrusted sources. That is the only thing to be
done IMO.
----------
type: security -> behavior
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue1044>
__________________________________
More information about the Python-bugs-list
mailing list