-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ez_setup.py should validate tar file #7
Comments
Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco): I don't feel right adding security features to a bootstrap wrapper. If these practices are good to employ in general, is there a reason they're not implemented in Python? In other words, why isn't there a 'safe_extract_all' in Python? I see now the default extract behavior has changed to be secure (though the docs are ambiguous about which versions are safe). My preference would be to use zip files for distribution and add a compatibility wrapper for older Pythons (while supported by Setuptools) to prevent extraction outside of the designated target. |
Original comment by arfrever (Bitbucket: arfrever, GitHub: arfrever): Please still provide tarballs. ez_setup.py does not need to use them. Unix users (e.g. who manually download and unpack tarballs and run setup.py) might prefer tarballs, since tar is always present in system, while unzip would have to be manually installed. |
Original comment by idgserpro (Bitbucket: idgserpro, GitHub: idgserpro): Any possibility of creating a zip release of setuptools for archives before 3.0? Having to know which bootstrap.py version works with which ez_setup.py is very confusing for beginners, specially in legacy systems. It would be nice to be able to use the new parameters in https://bootstrap.pypa.io/bootstrap-buildout.py, --setuptools-version and --buildout-version to download these older releases, since the new ez_setup in https://bootstrap.pypa.io/ez_setup.py only accepts zips. |
Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco): @idgserpro, I created #432 to track your request. |
Originally reported by: tiran (Bitbucket: tiran, GitHub: tiran)
ez_setup._extractall() should validate the tar file members according to https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
I suggest that _extractall() shall raise an error if
I also propose to mask out problematic bits like SUID. After all ez_setup.py is usually run with root permission.
The text was updated successfully, but these errors were encountered: