[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

Michael Brown added the comment: I can confirm that this issue has been addressed in trunk tarfile.py. __ Tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue2004> __ ___

[issue2004] tarfile extractall() allows local attacker to overwrite files while extracting

New submission from Michael Brown: python 2.5.1 tarfile.py line 1516 in extractall() sets directories created to world-writeable while extracting which means an attacker can change/modify files before perms are fixed. Suggest 770 while extracting to fix. -- components: Library (Lib