Skip to content

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

wants to merge 3 commits into from
+162 −0

Conversation

aeurielesn
Copy link
Contributor

@aeurielesn aeurielesn commented Jul 22, 2025
edited by github-actions bot
Loading

@aeurielesn aeurielesn requested a review from ethanfurman as a code owner July 22, 2025 22:44
@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2025
Open
gpshead
gpshead approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@gpshead gpshead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's rather sad that the number format used within tar files even explicitly allows a way to express negative values. is there even a use case for that in the file format(s)?

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jul 25, 2025
@gpshead
Copy link
Member

gpshead commented Jul 25, 2025
edited
Loading

Please cherry pick this commit to your branch (mispaste fixed): aa57b01

we don't want a whatsnew entry for this; whats new is for major features not bugfixes. a whatsnew entry makes backporting a chore (thus me removing the auto-backport labels for now)

(github is refusing to let me push changes to your branch. Please always allow maintainers to push edits to PR branches.)

@gpshead
Copy link
Member

gpshead commented Jul 25, 2025

(corrected mispasted commit link above)

@gpshead gpshead self-assigned this Jul 25, 2025
@aeurielesn
Copy link
Contributor Author

I enabled the allow edits to avoid any further issues and I cherry-picked the commit from your personal fork.

@aeurielesn
Copy link
Contributor Author

By the way, thanks for the clarifications on the process 👍

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Jul 27, 2025
@gpshead gpshead added the needs backport to 3.13 bugs and security fixes label Jul 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@ethanfurman ethanfurman ethanfurman approved these changes

Assignees

@gpshead gpshead

Labels
awaiting merge needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aeurielesn @gpshead @ethanfurman
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy