Skip to content

[3.14] gh-149486: tarfile.data_filter: validate written link target (GH-149487)#149554

Merged
encukou merged 2 commits into
python:3.14from
miss-islington:backport-5784119-3.14
May 11, 2026
Merged

[3.14] gh-149486: tarfile.data_filter: validate written link target (GH-149487)#149554
encukou merged 2 commits into
python:3.14from
miss-islington:backport-5784119-3.14

Conversation

@miss-islington
Copy link
Copy Markdown
Contributor

@miss-islington miss-islington commented May 8, 2026
edited by bedevere-app Bot
Loading

The data filter rewrote linknames with normpath() but ran the
containment check against the un-normalised value, and computed a
symlink's directory before stripping trailing slashes. Both let a
crafted archive create links pointing outside the destination. Also
reject link members that resolve to the destination directory itself,
which could otherwise replace it with a symlink and redirect all
subsequent members.

(Patch by Greg; Petr's just reviewing & merging.)
(cherry picked from commit 5784119)

Co-authored-by: Petr Viktorin encukou@gmail.com
Co-authored-by: Gregory P. Smith greg@krypto.org

@encukou @gpshead @miss-islington
pythongh-149486: tarfile.data_filter: validate written link target (p…
8d6d0b1 
…ythonGH-149487)

The data filter rewrote linknames with normpath() but ran the
containment check against the un-normalised value, and computed a
symlink's directory before stripping trailing slashes.  Both let a
crafted archive create links pointing outside the destination.  Also
reject link members that resolve to the destination directory itself,
which could otherwise replace it with a symlink and redirect all
subsequent members.

(Patch by Greg; Petr's just reviewing & merging.)
(cherry picked from commit 5784119)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced May 8, 2026
Open
Merged
@encukou
Copy link
Copy Markdown
Member

encukou commented May 8, 2026

!buildbot Windows

@bedevere-bot
Copy link
Copy Markdown

bedevere-bot commented May 8, 2026

🤖 New build scheduled with the buildbot fleet by @encukou for commit 4b1dba7 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F149554%2Fmerge

The command will test the builders whose names match following regular expression: Windows

The builders matched are:

  • AMD64 Windows Server 2022 NoGIL PR
  • AMD64 Windows11 Refleaks PR
  • ARM64 Windows PR
  • AMD64 Windows PGO Tailcall PR
  • AMD64 Windows PGO NoGIL Tailcall PR
  • ARM64 Windows Non-Debug PR
  • AMD64 Windows11 Non-Debug PR
  • AMD64 Windows PGO NoGIL PR
  • AMD64 Windows PGO PR
  • AMD64 Windows10 PR

@encukou encukou merged commit 74cca9a into python:3.14 May 11, 2026
58 of 61 checks passed
@miss-islington miss-islington deleted the backport-5784119-3.14 branch May 11, 2026 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ethanfurman ethanfurman Awaiting requested review from ethanfurman ethanfurman is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@miss-islington @encukou @bedevere-bot