# Reference to Python mitigation #4

Open
opened this issue Jun 6, 2018 · 6 comments

### tirkarthi commented Jun 6, 2018

 Python seems to do some mitigation which can be added to the README https://docs.python.org/3/library/zipfile.html?highlight=zipfile#zipfile.ZipFile.extract If a member filename is an absolute path, a drive/UNC sharepoint and leading (back)slashes will be stripped, e.g.: ///foo/bar becomes foo/bar on Unix, and C:\foo\bar becomes foo\bar on Windows. And all ".." components in a member filename will be removed, e.g.: ../../foo../../ba..r becomes foo../ba..r. On Windows illegal characters (:, <, >, |, ", ?, and *) replaced by underscore (_).
Contributor

### sjmaple commented Jun 6, 2018

referenced this issue Jun 7, 2018

### nozmore commented Jun 8, 2018

 Python tarfile appears to be vulnerable.
Contributor

### aviadatsnyk commented Jun 10, 2018 • edited

 thanks @nozmore , we're in contact with the python dev team to give them a short heads-up (although as you point out, this has been a known issue for a long time) and we'll add this to the README.
referenced this issue Jun 12, 2018
Contributor

### aviadatsnyk commented Jun 12, 2018

 @tirkarthi we're considering what would be the best way to include non-vulnerable libraries (and languages, for that matter), for now - we included the vulnerable python tarfile.

### epicfaace commented Aug 13, 2019 • edited

 @aviadatsnyk can you update the website? Right now it has no indication of the tarfile problem: We also vetted the Ruby and Python ecosystems and couldn’t find any vulnerable code snippets or libraries. In fact, Python libraries were vulnerable until fixed in 2014.
Contributor

### aviadatsnyk commented Aug 14, 2019

 @epicfaace - we'll def look into it, thank you!