[Python-Dev] Request for developer privileges.
Hello, my name is Lars Gustäbel (SF gustaebel). I contributed tarfile.py to the Python standard library in January 2003 and have been the maintainer since then. I have provided about 25 patches over the years, most of them fixes, some of them new features and improvements. As a result, I am pretty familiar with the Python development process. If possible I would like to get developer privileges to be able to work more actively on tarfile.py for a certain time. I am currently implementing read-write POSIX.1-2001 pax format support. Development is still in progress, but it is already clear at this point, that it will be a complex change, which will definitely require some maintenance once it is finished and in day-to-day use. I would like to clean up the tarfile test suite during this process as well. The introduction of the pax format is important because it is the first tar specification that puts an end to those annoying limitations of the "original" tar format. It will become the default format for GNU tar some day. Thank you, Lars. -- Lars Gustäbel [EMAIL PROTECTED] ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] 2.5 branch unfrozen
On Sat, Apr 21, 2007 at 04:45:37PM +1000, Anthony Baxter wrote: > Ok, things seem to be OK. So the release25-maint branch is unfrozen. > Go crazy. Well, a little bit crazy. I'm afraid that I went crazy a little too early. Sorry for that. Won't happen again. -- Lars Gustäbel [EMAIL PROTECTED] The truth is rarely pure and never simple. (Oscar Wilde) ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] tarfile and directory traversal vulnerability
On Fri, Aug 24, 2007 at 07:36:41PM +0200, Jan Matejek wrote:
> once upon a time there was a known vulnerability in tar (CVE-2001-1267,
> [1]), and while tar is now long fixed, python's tarfile module is
> affected too.
>
> The vulnerability goes basically like this: If you tar a file named
> "../../../../../etc/passwd" and then make the admin untar it,
> /etc/passwd gets overwritten.
> Another variety of this bug is a symlink one: if tar contains files like:
> ./-directory -> /etc
> ./-directory/passwd
> then the "-directory" symlink would be created first and /etc/passwd
> will be overwritten once again.
tarfile currently contains no sanity checks at all. The easiest
way to attack /etc/passwd would be to give tarfile a tar created
with `tar -cPf foo.tar /etc/passwd'.
> I was wondering how to fix it.
> The symlink problem obviously applies only to extractall() method and is
> easily fixed by delaying external (or possibly all) symlink creation,
> similar to how directory attributes are delayed now.
> I've attached a draft of the patch, if you like it, i'll polish it.
Suppose we have:
foo -> /etc
foo/passwd
If creation of the foo symlink is delayed, foo/passwd will be
extracted in a directory foo which will be created implicitly.
If we create the foo symlink afterwards it will fail because foo
already exists. The best way would be to completely ignore
members and link targets that are absolute or outside the
archive's scope.
> The traversal problem is harder, and it applies to extract() method as well.
> For extractall() alone, i would use something like:
>
> if tarinfo.name.startswith('../'):
> self.extract(tarinfo, path)
> else:
> warnings.warn("non-local file skipped: %s" % tarinfo.name,
> RuntimeWarning, stacklevel=1)
>
> For extract(), i am not sure. Maybe it should throw exception when it
> encounters such file, and have a special option to extract such files
> anyway. [...]
Yes, I think that is the right way to do it.
--
Lars Gustäbel
[EMAIL PROTECTED]
A chicken is an egg's way of producing more eggs.
(Anonymous)
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] tarfile and directory traversal vulnerability
On Mon, Aug 27, 2007 at 07:40:36PM +0200, Jan Matejek wrote: > Lars Gustäbel wrote: > > Suppose we have: > > foo -> /etc > > foo/passwd > > > > If creation of the foo symlink is delayed, foo/passwd will be > > extracted in a directory foo which will be created implicitly. > > If we create the foo symlink afterwards it will fail because foo > > already exists. The best way would be to completely ignore > > members and link targets that are absolute or outside the > > archive's scope. > > GNU tar doesn't descend into symlinked directories when extracting, such > archive fails anyway: > > # tar xvf foo.tar > foo > foo/passwd > tar: foo/passwd: Cannot open: Not a directory > tar: Error exit delayed from previous errors > > I think that is the simplest solution, but i'm not sure how to best > implement that in extractall(). GNU tar creates a placeholder file for every hard or symbolic link during the extract process and in a second step replaces them with links. I don't think that this is a good choice for a library. The problem is that it leads to delayed and (from the user's POV) unrelated errors. I prefer the solution that archive members with pathnames that either start with a "/" or a "../" raise an exception by default and can be extracted only by direct request. I am currently working on a patch. Should we move this discussion over to the bugtracker? -- Lars Gustäbel [EMAIL PROTECTED] Linux is like a wigwam - no Gates, no Windows, Apache inside. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
