> GNU tar is not supposed to place files outside its working directory, > unless explicitly specified otherwise. So this is considered a security > vulnerability. So that's a vulnerability in GNU tar, sure - it does something that it is not supposed to do. But why is there also a vulnerability in tarfile.py? It does very well what it is supposed to do. > AFAIK there is no specified behavior and other tars might act > differently. I think you are mistaken here. POSIX specifies something (although I'm uncertain what precisely) for pax(1); this ended the tar wars. > Furthermore, extract() and extractall() documentation says "Extract > (...) from the archive to the *current working directory* or directory > [path]." > So current behavior is actually inconsistent with the documentation. Ok. However, what does it mean to create a file with an absolute path in the current directory? Also, it's fairly easy to see what creating "../foo" should do when done in the current directory: create a sibling of the current directory. > No, the tar file itself is correct, according to POSIX. You can put > anything into a tar. Point is, you should be able to untar any file > 'safely'. I see, you are asking for an option. If people want to have this option, it should be added. Then, of course, the question is what default it should take. Regards, Martin
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4