-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding tarfile member sanitization to extractall() #2741
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, seems straightforward if a little unnecessary given this is only grabbing from github but if it stops people reporting security problems then that's good
Maybe I'm missing something but this change breaks the script on my mac:
|
I submitted another PR that changed numeric_owner as a keyword argument. That will support Python 3.5 or higher. |
@targos |
|
||
return prefix == abs_directory | ||
|
||
def safe_extract(tar, path=".", members=None, *, numeric_owner=False): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The asterisk is significant here.
if not is_within_directory(path, member_path): | ||
raise Exception("Attempted Path Traversal in Tar File") | ||
|
||
tar.extractall(path, members, numeric_owner) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extract
This must be tar.extractall(path, members, numeric_owner=numeric_owner)
|
From nodejs/node#44823:
@TrellixVulnTeam