Skip to content

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Jun 3, 2025
Merged

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

merged 20 commits into from
Jun 3, 2025

Conversation

ambv
Copy link
Contributor

@ambv ambv commented Jun 2, 2025
edited by encukou
Loading

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

[edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit messages.

Co-authored-by: Petr Viktorin [email protected]
Signed-off-by: Łukasz Langa [email protected]

📚 Documentation preview 📚: https://cpython-previews--135037.org.readthedocs.build/

@ambv @encukou
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
0c16f5f 
…path(strict='allow_missing')`

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Co-authored-by: Petr Viktorin <[email protected]>
Signed-off-by: Łukasz Langa <[email protected]>
@ambv ambv requested a review from ethanfurman as a code owner June 2, 2025 16:24
@bedevere-app bedevere-app bot mentioned this pull request Jun 2, 2025
Closed
@serhiy-storchaka
Copy link
Member

See also #71189.

AA-Turner
AA-Turner reviewed Jun 2, 2025
View reviewed changes
encukou
encukou reviewed Jun 2, 2025
View reviewed changes
encukou
encukou reviewed Jun 2, 2025
View reviewed changes
@encukou
Copy link
Member

encukou commented Jun 2, 2025

See also #71189.

To align with this, there'd be a ntpath.ALLOW_MISSING singleton rather than an 'allow_missing' string.
That's possible, of course. It can catch typos. But I don't think it's worth having to import an extra name.

@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @encukou for commit 5af66c6 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135037%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025
@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 3, 2025
This was referenced Jul 10, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Pranjal095 pushed a commit to Pranjal095/cpython that referenced this pull request Jul 12, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Pranjal095
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
1fec654 
…path(strict='allow_missing')` (python#135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Signed-off-by: Łukasz Langa <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Adam Turner <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
This was referenced Jul 14, 2025
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@encukou encukou encukou left review comments

@AA-Turner AA-Turner AA-Turner left review comments

@ethanfurman ethanfurman Awaiting requested review from ethanfurman ethanfurman is a code owner

Assignees

@Yhg1s Yhg1s

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ambv @serhiy-storchaka @encukou @bedevere-bot @AA-Turner @Yhg1s @sethmlarson