Possible security flaw
29 views
Skip to first unread message
Michele Comitini
May 23, 2012, 12:36:30 PM5/23/12
to web2py-developers
Inside gluon/fileutils.py TarFile class:
for tarinfo in members:
if tarinfo.isdir():
# Extract directory with a safe mode, so that
# all files below can be extracted as well.
try:
os.makedirs(os.path.join(path,
tarinfo.name), 0777)
except EnvironmentError:
pass
directories.append(tarinfo)
else:
self.extract(tarinfo, path)
That 777 is suspect. Shouldn't it be 700 ? Aka dnoB semaJ (James Bond
reverted) ;-)
mic
for tarinfo in members:
if tarinfo.isdir():
# Extract directory with a safe mode, so that
# all files below can be extracted as well.
try:
os.makedirs(os.path.join(path,
tarinfo.name), 0777)
except EnvironmentError:
pass
directories.append(tarinfo)
else:
self.extract(tarinfo, path)
That 777 is suspect. Shouldn't it be 700 ? Aka dnoB semaJ (James Bond
reverted) ;-)
mic
Michele Comitini
May 23, 2012, 12:37:30 PM5/23/12
to web2py-developers
Btw I do not know which python still needs that, maybe it could be removed?
2012/5/23 Michele Comitini <michele....@gmail.com>:
Reply all
Reply to author
Forward
0 new messages