Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Several path traversal bugs related to the use of the zipfile module #730

Closed
d1b opened this issue Nov 23, 2012 · 1 comment
Closed

Several path traversal bugs related to the use of the zipfile module #730

d1b opened this issue Nov 23, 2012 · 1 comment
Labels
auto-locked Outdated issues that have been locked by automation type: bug A confirmed bug or unintended behavior

Comments

@d1b
Copy link
Contributor

d1b commented Nov 23, 2012

There are several instances of path traversal bugs in pip.

  1. pip/commands/zip.py the unzip_package method does no checking of the filename provided by the zip (line 137 - for name in zip.namelist():)
  2. pip/util.py the unzip_file is vulnerable to path traversal if the flattern argument is false or if there are two filesnames with different leading paths zipfile (has_leding_dir returns false)
@xavfernandez xavfernandez added the type: bug A confirmed bug or unintended behavior label Oct 8, 2015
@dstufft
Copy link
Member

dstufft commented Mar 30, 2017

Duplicate of #3907.

@dstufft dstufft closed this as completed Mar 30, 2017
@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Jun 3, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@d1b @dstufft @xavfernandez