Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #102832 > unrolled thread
| Started by | Ulli Horlacher <framstag@rus.uni-stuttgart.de> |
|---|---|
| First post | 2016-02-11 23:24 +0000 |
| Last post | 2016-02-12 20:21 +0100 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.lang.python
tarfile : secure extract? Ulli Horlacher <framstag@rus.uni-stuttgart.de> - 2016-02-11 23:24 +0000
Re: tarfile : secure extract? Random832 <random832@fastmail.com> - 2016-02-12 11:01 -0500
Re: tarfile : secure extract? Ulli Horlacher <framstag@rus.uni-stuttgart.de> - 2016-02-12 19:43 +0000
Re: tarfile : secure extract? Lars Gustäbel <lars@gustaebel.de> - 2016-02-12 20:21 +0100
| From | Ulli Horlacher <framstag@rus.uni-stuttgart.de> |
|---|---|
| Date | 2016-02-11 23:24 +0000 |
| Subject | tarfile : secure extract? |
| Message-ID | <n9j56h$93n$1@news2.informatik.uni-stuttgart.de> |
In https://docs.python.org/2/library/tarfile.html there is a warning:
Never extract archives from untrusted sources without prior inspection.
It is possible that files are created outside of path, e.g. members that
have absolute filenames starting with "/" or filenames with two dots
"..".
My program has to extract tar archives from untrusted sources :-}
So far, I ignore files with dangerous pathnames:
for member in taro.getmembers():
file = member.name
if match(r'^(?i)([a-z]:)?(\.\.)?[/\\]',file):
print('ignoring "%s"' % file)
else:
print('extracting "%s"' % file)
taro.extract(member)
A better approach would be to rename such files while extracting.
Is this possible?
--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum IZUS/TIK E-Mail: horlacher@tik.uni-stuttgart.de
Universitaet Stuttgart Tel: ++49-711-68565868
Allmandring 30a Fax: ++49-711-682357
70550 Stuttgart (Germany) WWW: http://www.tik.uni-stuttgart.de/
[toc] | [next] | [standalone]
| From | Random832 <random832@fastmail.com> |
|---|---|
| Date | 2016-02-12 11:01 -0500 |
| Message-ID | <mailman.81.1455292876.22075.python-list@python.org> |
| In reply to | #102832 |
On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote: > A better approach would be to rename such files while extracting. > Is this possible? What happens if you change member.name before extracting?
[toc] | [prev] | [next] | [standalone]
| From | Ulli Horlacher <framstag@rus.uni-stuttgart.de> |
|---|---|
| Date | 2016-02-12 19:43 +0000 |
| Message-ID | <n9lcl4$rih$1@news2.informatik.uni-stuttgart.de> |
| In reply to | #102865 |
Random832 <random832@fastmail.com> wrote: > On Thu, Feb 11, 2016, at 18:24, Ulli Horlacher wrote: > > A better approach would be to rename such files while extracting. > > Is this possible? > > What happens if you change member.name before extracting? Ohh... such an easy solution! :-) -- Ullrich Horlacher Server und Virtualisierung Rechenzentrum IZUS/TIK E-Mail: horlacher@tik.uni-stuttgart.de Universitaet Stuttgart Tel: ++49-711-68565868 Allmandring 30a Fax: ++49-711-682357 70550 Stuttgart (Germany) WWW: http://www.tik.uni-stuttgart.de/
[toc] | [prev] | [next] | [standalone]
| From | Lars Gustäbel <lars@gustaebel.de> |
|---|---|
| Date | 2016-02-12 20:21 +0100 |
| Message-ID | <mailman.83.1455304896.22075.python-list@python.org> |
| In reply to | #102832 |
On Thu, Feb 11, 2016 at 11:24:01PM +0000, Ulli Horlacher wrote: > In https://docs.python.org/2/library/tarfile.html there is a warning: > > Never extract archives from untrusted sources without prior inspection. > It is possible that files are created outside of path, e.g. members that > have absolute filenames starting with "/" or filenames with two dots > "..". > > My program has to extract tar archives from untrusted sources :-} Read the discussion in this issue on why this might be a bad idea: http://bugs.python.org/issue21109 -- Lars Gustäbel lars@gustaebel.de
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web