Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reference to Python mitigation #4

Open
tirkarthi opened this issue Jun 6, 2018 · 6 comments

Comments

@tirkarthi
Copy link

commented Jun 6, 2018

Python seems to do some mitigation which can be added to the README

Source : https://news.ycombinator.com/item?id=17237665

https://docs.python.org/3/library/zipfile.html?highlight=zipfile#zipfile.ZipFile.extract

If a member filename is an absolute path, a drive/UNC sharepoint and leading (back)slashes will be stripped, e.g.: ///foo/bar becomes foo/bar on Unix, and C:\foo\bar becomes foo\bar on Windows. And all ".." components in a member filename will be removed, e.g.: ../../foo../../ba..r becomes foo../ba..r. On Windows illegal characters (:, <, >, |, ", ?, and *) replaced by underscore (_).

@sjmaple

This comment has been minimized.

Copy link
Contributor

commented Jun 6, 2018

Thanks for your feedback - we'll review and add to the README.

Thanks -- Simon

@nozmore

This comment has been minimized.

Copy link

commented Jun 8, 2018

Python tarfile appears to be vulnerable.

https://bugs.python.org/issue17102
https://bugs.python.org/issue21109

@aviadatsnyk

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2018

thanks @nozmore , we're in contact with the python dev team to give them a short heads-up (although as you point out, this has been a known issue for a long time) and we'll add this to the README.

@aviadatsnyk

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2018

@tirkarthi we're considering what would be the best way to include non-vulnerable libraries (and languages, for that matter), for now - we included the vulnerable python tarfile.

@epicfaace

This comment has been minimized.

Copy link

commented Aug 13, 2019

@aviadatsnyk can you update the website? Right now it has no indication of the tarfile problem:

We also vetted the Ruby and Python ecosystems and couldn’t find any vulnerable code snippets or libraries. In fact, Python libraries were vulnerable until fixed in 2014.

@aviadatsnyk

This comment has been minimized.

Copy link
Contributor

commented Aug 14, 2019

@epicfaace - we'll def look into it, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.