Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-08 06:10:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

gh-138158: Use the "data" tarfile extraction filter in Tools/ssl/multissltests.py (#138147)

Browse source 
The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball.
Since the script does not necessarily use Python 3.14 or later (where the `"data"`
filter became the default `tarfile` extraction filter), the user may theoretically
suffer from a path traversal attack.

Although the script should not be used in production and usually relies on downloading
trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant.
This commit is contained in:
Tommaso Bona 2025-08-30 12:27:32 +02:00 committed by GitHub
parent bacb7771fb
commit 31d3836f26
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Tools/ssl/multissltests.py
View file

@ -306,7 +306,7 @@ def _unpack_src(self):
raise ValueError(member.name, base)
member.name = member.name[len(base):].lstrip('/')
log.info("Unpacking files to {}".format(self.build_dir))
tf.extractall(self.build_dir, members)
tf.extractall(self.build_dir, members, filter='data')
def _build_src(self, config_args=()):
"""Now build openssl"""