gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (#135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. Signed-off-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
2025-10-20 00:13:47 +00:00 · 2025-06-03 12:42:11 +02:00 · 2025-06-03 12:42:11 +02:00 · 3612d8f517
commit 3612d8f517
parent ec12559eba
11 changed files with 969 additions and 172 deletions
--- a/Lib/genericpath.py
+++ b/Lib/genericpath.py
@ -8,7 +8,7 @@

 __all__ = ['commonprefix', 'exists', 'getatime', 'getctime', 'getmtime',
           'getsize', 'isdevdrive', 'isdir', 'isfile', 'isjunction', 'islink',
-           'lexists', 'samefile', 'sameopenfile', 'samestat']
+           'lexists', 'samefile', 'sameopenfile', 'samestat', 'ALLOW_MISSING']


 # Does a path exist?
@ -189,3 +189,12 @@ def _check_arg_types(funcname, *args):
                            f'os.PathLike object, not {s.__class__.__name__!r}') from None
    if hasstr and hasbytes:
        raise TypeError("Can't mix strings and bytes in path components") from None
+
+# A singleton with a true boolean value.
+@object.__new__
+class ALLOW_MISSING:
+    """Special value for use in realpath()."""
+    def __repr__(self):
+        return 'os.path.ALLOW_MISSING'
+    def __reduce__(self):
+        return self.__class__.__name__