New submission from Daniel Garcia: The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files.
I've view this vulnerability in libtar: http://lwn.net/Vulnerabilities/587141/ I've checked that python tarfile doesn't validate the filenames so python tarfile is vulnerable to this attack. ---------- components: Library (Lib) files: prevent-tar-traversal-attack.diff keywords: patch messages: 215222 nosy: Daniel.Garcia priority: normal severity: normal status: open title: tarfile: Traversal attack vulnerability type: security versions: Python 3.5 Added file: http://bugs.python.org/file34676/prevent-tar-traversal-attack.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue21109> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
