Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ez_setup.py should validate tar file #7

Closed
ghost opened this issue Jun 3, 2013 · 10 comments
Closed

ez_setup.py should validate tar file #7

ghost opened this issue Jun 3, 2013 · 10 comments
Labels

Comments

@ghost
Copy link

@ghost ghost commented Jun 3, 2013

Originally reported by: tiran (Bitbucket: tiran, GitHub: tiran)


ez_setup._extractall() should validate the tar file members according to http://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

I suggest that _extractall() shall raise an error if

  • a member is neither a directory nor a regular file (e.g. symlink, device)
  • member.name starts with '/' or contains '../' in order to prevent directory traversal attacks

I also propose to mask out problematic bits like SUID. After all ez_setup.py is usually run with root permission.

#!python
    for tarinfo in members:
        if tarinfo.name.startswith('/') or '../' in tarinfo.name:
            raise ValueError("Absolute file names or directory traversal forbidden: %s"
                                       % tarinfo.name)
        if tarinfo.isdir():
            # Extract directories with a safe mode.
            directories.append(tarinfo)
            tarinfo = copy.copy(tarinfo)
            tarinfo.mode = 448  # decimal for oct 0700
        elif tarinfo.isreg():
            tarinfo.mode &= 511 # 0777, mask out SUID, SGID, VTX
        else:
            raise ValueError("unsupported file type for file %s" % tarinfo.name)  

@ghost
Copy link
Author

@ghost ghost commented Jun 3, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


What if we distributed setuptools as a .zip instead of .tar.gz? Would that sidestep the security issues without involving ez_setup so intimately?

@ghost
Copy link
Author

@ghost ghost commented Jun 3, 2013

Original comment by tiran (Bitbucket: tiran, GitHub: tiran):


You still have to validate the paths. The zip format supports relative path names, too.

@ghost
Copy link
Author

@ghost ghost commented Jun 3, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


I don't feel right adding security features to a bootstrap wrapper. If these practices are good to employ in general, is there a reason they're not implemented in Python? In other words, why isn't there a 'safe_extract_all' in Python?

I see now the default extract behavior has changed to be secure (though the docs are ambiguous about which versions are safe). My preference would be to use zip files for distribution and add a compatibility wrapper for older Pythons (while supported by Setuptools) to prevent extraction outside of the designated target.

@ghost
Copy link
Author

@ghost ghost commented Feb 9, 2014

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


Use zip files rather than tar files for source distributions of setuptools itself. Fixes #7 for users of Python 2.7.4 and later.

@ghost
Copy link
Author

@ghost ghost commented Feb 9, 2014

Original comment by arfrever (Bitbucket: arfrever, GitHub: arfrever):


Please still provide tarballs. ez_setup.py does not need to use them. Unix users (e.g. who manually download and unpack tarballs and run setup.py) might prefer tarballs, since tar is always present in system, while unzip would have to be manually installed.

@ghost
Copy link
Author

@ghost ghost commented Feb 9, 2014

Original comment by arfrever (Bitbucket: arfrever, GitHub: arfrever):


Apparently something like formats = gztar zip (or even formats = bztar gztar zip) in setup.cfg could be used.

@ghost
Copy link
Author

@ghost ghost commented Feb 11, 2014

Original comment by arfrever (Bitbucket: arfrever, GitHub: arfrever):


Committed in 1dae705af90b488d06688941ff3d3452e92d8081.

@ghost
Copy link
Author

@ghost ghost commented Sep 8, 2015

Original comment by idgserpro (Bitbucket: idgserpro, GitHub: idgserpro):


Any possibility of creating a zip release of setuptools for archives before 3.0? Having to know which bootstrap.py version works with which ez_setup.py is very confusing for beginners, specially in legacy systems. It would be nice to be able to use the new parameters in https://bootstrap.pypa.io/bootstrap-buildout.py, --setuptools-version and --buildout-version to download these older releases, since the new ez_setup in https://bootstrap.pypa.io/ez_setup.py only accepts zips.

@ghost
Copy link
Author

@ghost ghost commented Sep 11, 2015

Original comment by idgserpro (Bitbucket: idgserpro, GitHub: idgserpro):


@jaraco Do you know if this is possible? What do you think?

@ghost
Copy link
Author

@ghost ghost commented Sep 13, 2015

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


@idgserpro, I created #432 to track your request.

@ghost ghost added major bug labels Mar 29, 2016
@ghost ghost closed this Mar 29, 2016
jaraco added a commit that referenced this issue Dec 7, 2020
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
0 participants