Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #102869
| Path | csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail |
|---|---|
| From | Lars Gustäbel <lars@gustaebel.de> |
| Newsgroups | comp.lang.python |
| Subject | Re: tarfile : secure extract? |
| Date | Fri, 12 Feb 2016 20:21:25 +0100 |
| Lines | 16 |
| Message-ID | <mailman.83.1455304896.22075.python-list@python.org> (permalink) |
| References | <n9j56h$93n$1@news2.informatik.uni-stuttgart.de> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=iso-8859-1 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | news.uni-berlin.de 9ZCm0bXfYr/QoFl9NoYFCAZ7TDN32C+NegUzFuGCmj2g== |
| Return-Path | <lars@g33x.de> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.007 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'filenames': 0.07; 'cc:addr :python-list': 0.09; 'thu,': 0.15; '"/"': 0.16; '2016': 0.16; 'dots': 0.16; 'idea:': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'wrote:': 0.16; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'cc:no real name:2**0': 0.22; 'feb': 0.23; 'absolute': 0.23; 'header:In-Reply-To:1': 0.24; 'discussion': 0.24; 'url:bugs': 0.24; 'header:User-Agent:1': 0.26; 'archives': 0.29; 'path,': 0.29; 'tar': 0.29; 'e.g.': 0.30; 'subject: : ': 0.30; 'url:python': 0.33; 'extract': 0.33; 'there': 0.36; 'url:org': 0.36; 'created': 0.36; 'possible': 0.36; 'url:library': 0.36; 'subject:?': 0.36; 'subject:: ': 0.37; 'two': 0.37; 'received:88.198': 0.37; 'sources': 0.37; 'starting': 0.37; 'files': 0.38; 'why': 0.39; 'received:192': 0.39; 'received:de': 0.40 |
| Mail-Followup-To | Lars Gustäbel <lars@gustaebel.de>, Ulli Horlacher <framstag@rus.uni-stuttgart.de>, python-list@python.org |
| Content-Disposition | inline |
| In-Reply-To | <n9j56h$93n$1@news2.informatik.uni-stuttgart.de> |
| User-Agent | Mutt/1.5.23 (2014-03-12) |
| X-Virus-Scanned | clamav-milter 0.98.7 at tera |
| X-Virus-Status | Clean |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.21rc2 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Xref | csiph.com comp.lang.python:102869 |
Show key headers only | View raw
On Thu, Feb 11, 2016 at 11:24:01PM +0000, Ulli Horlacher wrote: > In https://docs.python.org/2/library/tarfile.html there is a warning: > > Never extract archives from untrusted sources without prior inspection. > It is possible that files are created outside of path, e.g. members that > have absolute filenames starting with "/" or filenames with two dots > "..". > > My program has to extract tar archives from untrusted sources :-} Read the discussion in this issue on why this might be a bad idea: http://bugs.python.org/issue21109 -- Lars Gustäbel lars@gustaebel.de
Back to comp.lang.python | Previous | Next — Previous in thread | Find similar | Unroll thread
tarfile : secure extract? Ulli Horlacher <framstag@rus.uni-stuttgart.de> - 2016-02-11 23:24 +0000
Re: tarfile : secure extract? Random832 <random832@fastmail.com> - 2016-02-12 11:01 -0500
Re: tarfile : secure extract? Ulli Horlacher <framstag@rus.uni-stuttgart.de> - 2016-02-12 19:43 +0000
Re: tarfile : secure extract? Lars Gustäbel <lars@gustaebel.de> - 2016-02-12 20:21 +0100
csiph-web