Opened 7 years ago
Closed 3 years ago
#27659 closed Bug (fixed)
Arbritrary file overrides in startproject/app template extraction
| Reported by: | Florian Apolloner | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Florian Apolloner | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Note: This was reported as security issue intially by me, but we think that this is more hardening than an actual issue -- if you are downloading untrusted archives the content can be much worse anyways…
The issue here is that tar files (and probably zip files too), can store full and/or relative paths and therefore escape out of the extraction root.
Attached is an initial WIP to show the issue and possible solution.
Attachments (1)
Change History (4)
by , 7 years ago
| Attachment: | patch.diff added |
|---|
comment:1 by , 7 years ago
| Has patch: | set |
|---|
comment:2 by , 7 years ago
| Needs tests: | set |
|---|---|
| Patch needs improvement: | set |
comment:3 by , 3 years ago
| Has patch: | unset |
|---|---|
| Needs tests: | unset |
| Patch needs improvement: | unset |
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in 05413afa8c18cdb978fcdf470e09f7a12b234a23.