pyLoad Path Traversal Vulnerability in Tar Extraction

A path traversal vulnerability has been identified in pyLoad versions 0.4.x and prior, specifically within the '_safe_extractall()' function of the UnTar extractor. The vulnerability arises because the function uses 'os.path.commonprefix()' for path traversal validation, which compares strings at a character level instead of a path level. This flaw allows a specially crafted tar archive to extract files outside the designated directory. Although the correct 'os.path.commonpath()' function was introduced in a previous fix, it was not applied to '_safe_extractall()', leaving the vulnerability unaddressed. The issue is now resolved in pyLoad version 0.5.0b3.dev97.

Impact

Exploitation of this vulnerability allows an attacker to write files to arbitrary sibling directories of the extraction path, potentially overwriting other users' downloads or placing malicious files in predictable locations. This could lead to code execution if combined with other techniques, such as writing a '.bashrc' file or a plugin file.

Reproduction

The vulnerability can be reproduced by creating a malicious tar.gz file that includes a member file designed to escape the intended extraction directory using the commonprefix bypass. This crafted archive can then be downloaded by a pyLoad user with the ExtractArchive addon enabled, triggering the path traversal vulnerability during extraction.

Remediation

Users should update to pyLoad version 0.5.0b3.dev97, where this vulnerability has been fixed.