Episode 344 - Python tarfile - 2022 is nothing like 2007

<p dir="auto"><a href="https://twitter.com/joshbressers" rel= "nofollow" data-turbo-frame="">Josh</a> and <a href= "https://twitter.com/kurtseifried" rel="nofollow" data-turbo-frame= "">Kurt</a> talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what's OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022.</p> <h2 dir="auto">Show Notes</h2> <ul dir="auto"> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2007-4559" rel= "nofollow" data-turbo-frame="">CVE-2007-4559</a></li> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=263261" rel="nofollow" data-turbo-frame="">Red Hat Bug</a></li> <li><a href= "https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/" rel="nofollow" data-turbo-frame="">Register story</a></li> <li><a href="https://github.com/python/cpython/issues/45385" data-hovercard-type="issue" data-hovercard-url= "/python/cpython/issues/45385/hovercard" data-turbo-frame= "">Response from upstream</a></li> <li><a href= "https://bugs.python.org/file8339/insecure_pathnames.diff" rel= "nofollow" data-turbo-frame="">Upstream patch</a></li> <li><a href="https://main.zippslip.com/" rel="nofollow" data-turbo-frame="">ZippSlip</a></li> <li><a href="https://github.com/python/cpython/issues/73974" data-hovercard-type="issue" data-hovercard-url= "/python/cpython/issues/73974/hovercard" data-turbo-frame= "">Current upstream bug</a></li> <li><a href="https://github.com/expressjs/csurf" data-turbo-frame= "">CSURF</a></li> </ul>