* Niels Thykier <niels@thykier.net>, 2014-07-08, 07:34:
member.mode |= 0200We should also make sure that the permissions won't be excessive (honoured umask, no setuid, no setgid etc.) and that the file will be owned by the user who runs the code.Certainly, that could be done. Do you know if tar(1) does that w. permissions as well (for normal users)?
Yes, when unpacking as normal user, the default is --no-same-owner ("extract files as yourself") and --no-same-permissions ("apply the user's umask when extracting permissions").
So far I have not had an issue with owners, despite extracting data.tar, where all files are (usually) owned by root/root.
I looked at the source of the tarfile module. Turns out that TarFile.chmod() is no-op when os.getuid() != 0.
That said, I guess we should be safe rather than sorry here as well.
Agreed.
The extract() method is unfortunately quite dumb. :-( It will happily write over existing symlink, or write to an existing FIFO, or...If we ensure the extraction does not escape the unpack root and assert that the target does not exist in any way, I guess this problem would be avoided?
That's right. -- Jakub Wilk