abort tarball extraction if unsafe path encountered #8374
Conversation
c571259 to
965fa5e
Compare
|
Note: this code is really a placeholder. The right answer to this is our libarchive-based tarball handling. This implementation is here to get 4.6.x into a better state, but it should be replaced by the conda-package-handling code. |
conda/gateways/disk/create.py
Outdated
| for member in tar_file.getmembers(): | ||
| if (os.path.isabs(member.name) or | ||
| not os.path.realpath(member.name).startswith(os.getcwd())): | ||
| sys.exit("tarball {} contains unsafe path: {}. Erroring out." |
There was a problem hiding this comment.
Would raising an error be more appropriate here? That would allow conda's error handling and logging framework to capture and report the error.
|
. |
|
The performance penalty here is going to suck. We should probably put it behind the safety checks parameter. Maybe we can skip safety checks for signed packages from known channels or something. |
8ea3be3 to
f315829
Compare
f315829 to
f86c79b
Compare
|
Hi there, thank you for your contribution to Conda! This pull request has been automatically locked since it has not had recent activity after it was closed. Please open a new issue or pull request if needed. |
Conda's handling of tarball extraction leaves potential for malicious tarballs to do naughty things. More at
https://bugs.python.org/issue1044#msg55464
https://nvd.nist.gov/vuln/detail/CVE-2007-4559
The most recent development in Python seems to be at https://bugs.python.org/issue21109
This patch is intended to exit out when malcious paths are encountered, but we should study the most recent development in Python mentioned above to double-check.
This code will be rendered obsolete by the switch to libarchive (via conda-package-handling) thanks to its security flags: https://github.com/conda/conda-package-handling/blob/master/conda_package_handling/tarball.py#L68-L77