[issue35909] Zip Slip Vulnerability

Christian Heimes added the comment: Thanks for reporting the issue. I'm closing this issue as duplicate of #21109. Let's keep all discussion on one issue. -- resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> tarfile: Traversal attack vulnerability _

[issue35909] Zip Slip Vulnerability

Christian Heimes added the comment: You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable. $ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip $ curl -O https://raw.githubuserconten

[issue35909] Zip Slip Vulnerability

SilentGhost added the comment: issue 21109 was mentioned as an example of reported behaviour in https://github.com/snyk/zip-slip-vulnerability/issues/4#issuecomment-395848367 -- nosy: +SilentGhost ___ Python tracker

[issue35909] Zip Slip Vulnerability

Jeff Knupp added the comment: According to https://snyk.io/research/zip-slip-vulnerability (the source of the paper), Python hasn't been vulnerable since 2014. -- nosy: +jeffknupp ___ Python tracker ___

[issue35909] Zip Slip Vulnerability

Change by Raymond Hettinger : -- assignee: -> christian.heimes nosy: +christian.heimes ___ Python tracker ___ ___ Python-bugs-list

[issue35909] Zip Slip Vulnerability

Sihoon Lee added the comment: When I had tested it before, It was not worked. Was it really worked? Could you show me your PoC Code? -- nosy: +push0ebp -lars.gustaebel ___ Python tracker

[issue35909] Zip Slip Vulnerability

Change by SilentGhost : -- keywords: +security_issue nosy: +lars.gustaebel ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue35909] Zip Slip Vulnerability

New submission from uhei3nn9 : As has been discovered in 06.2018 the python library is affected by the zip slip vulbnerability (meaning code execution) The affected section https://github.com/python/cpython/blob/3.7/Lib/tarfile.py has not been patched since then. Therefore it seems python ha