diff options
author | Peter Korsgaard <peter@korsgaard.com> | 2019-02-11 23:22:02 +0100 |
---|---|---|
committer | Peter Korsgaard <peter@korsgaard.com> | 2019-02-12 21:27:35 +0100 |
commit | a83e30ad63e00d6c81a6409161c2d3010d98d373 (patch) | |
tree | e8bdf57af51a26a87ffe81f5316e97a082e9ce97 /README | |
parent | 424a90241c07fd15cd1caadd707f751461cf11fc (diff) | |
download | buildroot-a83e30ad63e00d6c81a6409161c2d3010d98d373.tar.gz buildroot-a83e30ad63e00d6c81a6409161c2d3010d98d373.zip |
utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling
For details, see https://github.com/snyk/zip-slip-vulnerability
Older python versions do not validate that the extracted files are inside
the target directory. Detect and error out on evil paths before extracting
.zip / .tar file.
Given the scope of this (zip issue was fixed in python 2.7.4, released
2013-04-06, scanpypi is only used by a developer when adding a new python
package), the security impact is fairly minimal, but it is good to get it
fixed anyway.
Reported-by: Bas van Schaik <security-reports@semmle.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions