Message 93021 - Python tracker

Message93021

Author	schmir
Recipients	schmir
Date	2009-09-22.22:10:49
SpamBayes Score	6.670818e-05
Marked as misclassified	No
Message-id	<1253657452.09.0.588869541997.issue6972@psf.upfronthosting.co.za>
In-reply-to

Content
ZipFile.extractall happily overwrites any file on the filesystem. One can put files with a name like "//etc/password" in a zip file and extractall will overwrite /etc/password (with sufficient rights). The docs say: ZipFile.extractall([path[, members[, pwd]]]) Extract all members from the archive to the current working directory. path specifies a different directory to extract to. members is optional and must be a subset of the list returned by namelist(). pwd is the password used for encrypted files. I read that as: it will put all files into path or a subdirectory. Using names like "../../../etc/password" also leads to files being written outside that path directory.

Content

ZipFile.extractall happily overwrites any file on the filesystem. One
can put files with a name like "//etc/password" in a zip file and
extractall will overwrite /etc/password (with sufficient rights).

The docs say:

ZipFile.extractall([path[, members[, pwd]]])

    Extract all members from the archive to the current working
directory. path specifies a different directory to extract to. members
is optional and must be a subset of the list returned by namelist(). pwd
is the password used for encrypted files.


I read that as: it will put all files into path or a subdirectory.
Using names like "../../../etc/password" also leads to files being
written outside that path directory.

History
Date	User	Action	Args
2009-09-22 22:10:52	schmir	set	recipients: + schmir
2009-09-22 22:10:52	schmir	set	messageid: <1253657452.09.0.588869541997.issue6972@psf.upfronthosting.co.za>
2009-09-22 22:10:50	schmir	link	issue6972 messages
2009-09-22 22:10:49	schmir	create