Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
bpo-41316: Make tarfile follow specs for FNAME
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information.

RFC1952 says about FNAME:
This is the original name of the file being compressed, with any directory components removed.

So tarfile must remove directory names from FNAME and write only basename of file.
  • Loading branch information
ArtemSBulgakov committed Jul 28, 2020
commit 5639f66f6707bf3f41a0bbd09318ab1c4b6e1b29
2 changes: 2 additions & 0 deletions Lib/tarfile.py
Original file line number Diff line number Diff line change
Expand Up @@ -420,6 +420,8 @@ def _init_write_gz(self):
self.__write(b"\037\213\010\010" + timestamp + b"\002\377")
if self.name.endswith(".gz"):
self.name = self.name[:-3]
# Remove directory components
Comment thread
jaraco marked this conversation as resolved.
Outdated
self.name = os.path.basename(self.name)
Comment thread
ArtemSBulgakov marked this conversation as resolved.
Outdated
# RFC1952 says we must use ISO-8859-1 for the FNAME field.
self.__write(self.name.encode("iso-8859-1", "replace") + NUL)

Expand Down