Skip to content

[3.9] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) #137177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 3.9
Choose a base branch
from
Open

[3.9] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) #137177

wants to merge 1 commit into from

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Jul 28, 2025
edited by bedevere-app bot
Loading

@aeurielesn @gpshead
[3.9] pythongh-130577: tarfile now validates archives to ensure membe…
ea07f6b 
…r offsets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@gpshead gpshead requested a review from ethanfurman as a code owner July 28, 2025 17:08
@gpshead gpshead added the type-security A security issue label Jul 28, 2025
This was referenced Jul 28, 2025
Open
Merged
kulikjak
kulikjak reviewed Jul 29, 2025
View reviewed changes
Lib/test/test_tarfile.py
@@ -4234,6 +4235,193 @@ def valueerror_filter(tarinfo, path):
self.expect_exception(TypeError) # errorlevel is not int


class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

archiver_tests are not imported and do not exist in 3.9 sources.

mgorny
mgorny reviewed Jul 30, 2025
View reviewed changes
Lib/test/test_tarfile.py
Comment on lines +4238 to +4269
class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
testdir = os.path.join(TEMPDIR, "testoverwrite")

@classmethod
def setUpClass(cls):
p = cls.ar_with_file = os.path.join(TEMPDIR, 'tar-with-file.tar')
cls.addClassCleanup(os_helper.unlink, p)
with tarfile.open(p, 'w') as tar:
t = tarfile.TarInfo('test')
t.size = 10
tar.addfile(t, io.BytesIO(b'newcontent'))

p = cls.ar_with_dir = os.path.join(TEMPDIR, 'tar-with-dir.tar')
cls.addClassCleanup(os_helper.unlink, p)
with tarfile.open(p, 'w') as tar:
tar.addfile(tar.gettarinfo(os.curdir, 'test'))

p = os.path.join(TEMPDIR, 'tar-with-implicit-dir.tar')
cls.ar_with_implicit_dir = p
cls.addClassCleanup(os_helper.unlink, p)
with tarfile.open(p, 'w') as tar:
t = tarfile.TarInfo('test/file')
t.size = 10
tar.addfile(t, io.BytesIO(b'newcontent'))

def open(self, path):
return tarfile.open(path, 'r')

def extractall(self, ar):
ar.extractall(self.testdir, filter='fully_trusted')


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in the 3.10 backport, this seems to have been mistakenly added as a result of merge error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgorny mgorny mgorny left review comments

@kulikjak kulikjak kulikjak left review comments

@ethanfurman ethanfurman Awaiting requested review from ethanfurman ethanfurman is a code owner

Assignees

@ambv ambv

Labels
awaiting core review release-blocker type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gpshead @mgorny @kulikjak @ambv @aeurielesn
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy