Reference to Python mitigation

[tirkarthi]

Python seems to do some mitigation which can be added to the README

Source : https://news.ycombinator.com/item?id=17237665

https://docs.python.org/3/library/zipfile.html?highlight=zipfile#zipfile.ZipFile.extract

If a member filename is an absolute path, a drive/UNC sharepoint and leading (back)slashes will be stripped, e.g.: ///foo/bar becomes foo/bar on Unix, and C:\foo\bar becomes foo\bar on Windows. And all ".." components in a member filename will be removed, e.g.: ../../foo../../ba..r becomes foo../ba..r. On Windows illegal characters (:, <, >, |, ", ?, and *) replaced by underscore (_).

[sjmaple]

Thanks for your feedback - we'll review and add to the README.

Thanks -- Simon

[nozmore]

Python tarfile appears to be vulnerable.

https://bugs.python.org/issue17102
https://bugs.python.org/issue21109

[aviadatsnyk]

thanks @nozmore , we're in contact with the python dev team to give them a short heads-up (although as you point out, this has been a known issue for a long time) and we'll add this to the README.

[aviadatsnyk]

@tirkarthi we're considering what would be the best way to include non-vulnerable libraries (and languages, for that matter), for now - we included the vulnerable python tarfile.

[epicfaace]

@aviadatsnyk can you update the website? Right now it has no indication of the tarfile problem:

We also vetted the Ruby and Python ecosystems and couldn’t find any vulnerable code snippets or libraries. In fact, Python libraries were vulnerable until fixed in 2014.

[aviadatsnyk]

@epicfaace - we'll def look into it, thank you!