gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` #135037

ambv · 2025-06-02T16:24:54Z

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

[edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit messages.

Co-authored-by: Petr Viktorin [email protected]
Signed-off-by: Łukasz Langa [email protected]

Issue: Multiple tarfile extraction filter bypasses (filter="tar"/filter="data") #135034

📚 Documentation preview 📚: https://cpython-previews--135037.org.readthedocs.build/

…path(strict='allow_missing')` Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. Co-authored-by: Petr Viktorin <[email protected]> Signed-off-by: Łukasz Langa <[email protected]>

serhiy-storchaka · 2025-06-02T17:06:49Z

See also #71189.

Lib/test/test_tarfile.py

Co-authored-by: Adam Turner <[email protected]>

Lib/test/test_tarfile.py

Lib/test/test_ntpath.py

encukou · 2025-06-02T22:29:32Z

See also #71189.

To align with this, there'd be a ntpath.ALLOW_MISSING singleton rather than an 'allow_missing' string.
That's possible, of course. It can catch typos. But I don't think it's worth having to import an extra name.

bedevere-bot · 2025-06-02T23:14:05Z

🤖 New build scheduled with the buildbot fleet by @encukou for commit 5af66c6 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135037%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

Co-authored-by: Serhiy Storchaka <[email protected]>

This reverts commit fd2013a.

…path(strict='allow_missing')` (python#135037) Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. Signed-off-by: Łukasz Langa <[email protected]> Co-authored-by: Petr Viktorin <[email protected]> Co-authored-by: Seth Michael Larson <[email protected]> Co-authored-by: Adam Turner <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>

pythongh-135034: Normalize link targets in tarfile, add `os.path.real…

0c16f5f

…path(strict='allow_missing')` Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. Co-authored-by: Petr Viktorin <[email protected]> Signed-off-by: Łukasz Langa <[email protected]>

ambv requested a review from ethanfurman as a code owner June 2, 2025 16:24

bedevere-app bot added the awaiting core review label Jun 2, 2025

bedevere-app bot mentioned this pull request Jun 2, 2025

Multiple tarfile extraction filter bypasses (filter="tar"/filter="data") #135034

Closed

ambv and others added 2 commits June 2, 2025 18:30

Fix lint

335921b

Add blurb

fcefa72

Fix test_tarfile on WASI

9c275a7

ambv force-pushed the gh-135034 branch from d25f924 to 9c275a7 Compare June 2, 2025 17:30

Remove spurious line

b59eaaa

AA-Turner reviewed Jun 2, 2025

View reviewed changes

Lib/test/test_tarfile.py Outdated Show resolved Hide resolved

ambv and others added 3 commits June 2, 2025 22:10

Fix invalid parent directory unwinding in test

fd5ba13

Co-authored-by: Adam Turner <[email protected]>

Make tests more chatty

aeebdc8

Use a better skip

f5544e6

encukou reviewed Jun 2, 2025

View reviewed changes

Lib/test/test_tarfile.py Outdated Show resolved Hide resolved

encukou reviewed Jun 2, 2025

View reviewed changes

Lib/test/test_ntpath.py Outdated Show resolved Hide resolved

ambv and others added 2 commits June 3, 2025 00:31

Work around Windows test failures

3c5ed15

Add ERROR_ACCESS_DENIED

5af66c6

encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025

bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025

encukou and others added 7 commits June 3, 2025 01:14

Switch to singleton

a124c42

Co-authored-by: Serhiy Storchaka <[email protected]>

Add ENAMETOOLONG to expected failures. And an extra subTest.

5bf4a48

Discard more special files

3b54acd

Use shorter names on Android

7ff96a2

Fix docs warning

f845343

Attempt to restore ntpath test

fd2013a

Revert "Attempt to restore ntpath test"

f8f2786

This reverts commit fd2013a.

encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` #135037

gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` #135037

Uh oh!

ambv commented Jun 2, 2025 •

edited by encukou

Loading

Uh oh!

serhiy-storchaka commented Jun 2, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

encukou commented Jun 2, 2025

Uh oh!

bedevere-bot commented Jun 2, 2025

Uh oh!

Uh oh!

Uh oh!

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

Uh oh!

Conversation

ambv commented Jun 2, 2025 • edited by encukou Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

serhiy-storchaka commented Jun 2, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

encukou commented Jun 2, 2025

Uh oh!

bedevere-bot commented Jun 2, 2025

Uh oh!

Uh oh!

gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` #135037

gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` #135037

ambv commented Jun 2, 2025 •

edited by encukou

Loading