Headline
CVE-2022-44900: Fix sanity check for path traversal attack · miurahr/py7zr@1bb43f1
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.
Permalink
Browse files
Fix sanity check for path traversal attack
- Previous versions do not detect the attack in some case
- fixed it by call resolve()
- resolve() converts “/hoge/fuga/…/…/…/tmp/evil.sh” to be “/tmp/evil.sh” then relative_to() can detect path traversal attack.
- Add path checker in writef() and writestr() methods
- When pass arcname as evil path such as “…/…/…/…/tmp/evil.sh” it raises ValueError
- Add test case of bad path detection
- extraction: check symlink and junction is under target folder
- Fix relative_path_marker removal
- Don’t put windows file namespace to output file path
Signed-off-by: Hiroshi Miura [email protected]
- Loading branch information
Related news
Ubuntu Security Notice 7030-1 - It was discovered that py7zr was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted 7z archive, an attacker could possibly use this issue to write arbitrary files outside the target directory on the host.
Debian Linux Security Advisory 5652-1 - A directory traversal vulnerability was discovered in py7zr, a library and command-line utility to process 7zip archives.
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr versions 0.20.0 and earlier allows attackers to read arbitrary files on the local machine via a malicious 7z file extraction.
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.