Issue #7 resolved should validate tar file

Christian Heimes
created an issue

ez_setup._extractall() should validate the tar file members according to

I suggest that _extractall() shall raise an error if

  • a member is neither a directory nor a regular file (e.g. symlink, device)

  • starts with '/' or contains '../' in order to prevent directory traversal attacks

I also propose to mask out problematic bits like SUID. After all is usually run with root permission.

    for tarinfo in members:
        if'/') or '../' in
            raise ValueError("Absolute file names or directory traversal forbidden: %s"
        if tarinfo.isdir():
            # Extract directories with a safe mode.
            tarinfo = copy.copy(tarinfo)
            tarinfo.mode = 448  # decimal for oct 0700
        elif tarinfo.isreg():
            tarinfo.mode &= 511 # 0777, mask out SUID, SGID, VTX
            raise ValueError("unsupported file type for file %s" %  

Comments (11)

  1. Jason R. Coombs

    I don't feel right adding security features to a bootstrap wrapper. If these practices are good to employ in general, is there a reason they're not implemented in Python? In other words, why isn't there a 'safe_extract_all' in Python?

    I see now the default extract behavior has changed to be secure (though the docs are ambiguous about which versions are safe). My preference would be to use zip files for distribution and add a compatibility wrapper for older Pythons (while supported by Setuptools) to prevent extraction outside of the designated target.

  2. Arfrever Frehtes Taifersar Arahesis

    Please still provide tarballs. does not need to use them. Unix users (e.g. who manually download and unpack tarballs and run might prefer tarballs, since tar is always present in system, while unzip would have to be manually installed.

  3. idg serpro

    Any possibility of creating a zip release of setuptools for archives before 3.0? Having to know which version works with which is very confusing for beginners, specially in legacy systems. It would be nice to be able to use the new parameters in, --setuptools-version and --buildout-version to download these older releases, since the new ez_setup in only accepts zips.

  4. Log in to comment