Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
As the sensational article on bleepingcomputer mentions: https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/
tarfile.extractall() just extracts everything that is in the tarball. Including stuff like ../../../etc/passwd , which is kind of shady, and exploitable - as the video shows.
This has been reported before: https://mail.python.org/pipermail/python-dev/2007-August/074290.html I think the response was: "upstream should fix it". (Meaning: GNU tar)
Eventually, upstream did fix it; tar now throws an error when untarring files with '../' in them:
(base) %tar -tf tarvuln.tar tarvuln/ tarvuln/blu.txt tarvuln/bla.txt etc/passwd_notreally ../../etc/passwd_notreally (base) %tar -xf tarvuln.tar **../../etc/passwd_notreally: Path contains '..'** tar: Error exit delayed from previous errors.
I suggest tarfile.extractall() is changed so it throws that same error as GNU tar.
The text was updated successfully, but these errors were encountered:
This issue is a duplicate of #73974
Sorry, something went wrong.
No branches or pull requests
Denelvo commentedSep 30, 2022
•
edited
Bug report
As the sensational article on bleepingcomputer mentions:
https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/
tarfile.extractall() just extracts everything that is in the tarball. Including stuff like ../../../etc/passwd , which is kind of shady, and exploitable - as the video shows.
This has been reported before:
https://mail.python.org/pipermail/python-dev/2007-August/074290.html
I think the response was: "upstream should fix it". (Meaning: GNU tar)
Eventually, upstream did fix it; tar now throws an error when untarring files with '../' in them:
I suggest tarfile.extractall() is changed so it throws that same error as GNU tar.
The text was updated successfully, but these errors were encountered: