[Security-sig] Archives (.tar or .zip) with absolute paths
Victor Stinner
victor.stinner at gmail.com
Thu Mar 9 12:37:50 EST 2017
Hi,
I noticed that "python3 -m tarfile -x archive.tar" uses absolute paths
by default, whereas the UNIX tar command doesn't by default. The UNIX
tar command requires to add explicitly --absolute-paths (-P) option.
The tarfile and zipfile modules (maybe also some others, I didn't
check) contain warnings absolute paths and paths containing "..".
Why not ignoring "/" at start of filenames *by default*? By backward
compatibility?
I suggest to add a boolean absolute_path option to tarfile and zipfile
and disable it by default in the CLI. The question is what should be
the default value for the Python API. I suggest to use
absolute_path=False by default for safety.
Example to create such archive. See that tar also removes "/" by
default and requires to pass explicitly -P:
$ cd $HOME
# /home/haypo
$ echo TEST > test
$ tar -cf test.tar /home/haypo/test
tar: Removing leading `/' from member names
$ rm -f test.tar
$ tar -P -cf test.tar /home/haypo/test
$ rm -f test
Extracting such archive using tar is safe *by default*:
$ mkdir z
$ cd z
$ tar -xf ~/test.tar
tar: Removing leading `/' from member names
$ find
.
./home
./home/haypo
./home/haypo/test
Extracting such archive using Python is unsafe:
$ python3 -m tarfile -e ~/test.tar
$ cat ~/test
TEST
$ pwd
/home/haypo/z
Python creates files outside the current directory which is unsafe,
wheras tar doesn't.
Victor
More information about the Security-SIG
mailing list