Directory traversal vulnerability in the (1) extract and (2) extractall
functions in the tarfile module in Python allows user-assisted remote
attackers to overwrite arbitrary files via a … (dot dot) sequence in
filenames in a TAR archive, a related issue to CVE-2001-1267.
Bugs
Notes
Author |
Note |
mdeslaur |
Upstream python eventually decided to fix this by adding an additional option to the affected functions to specify adding a filter. See PEP 706. While this does not change the default behaviour, applications modified to use the filter can now safely extract untrusted tar files. Due to the default not changing, we will not be fixing this issue in older Python releases, marking as ignored. |