cpython

mirror of https://github.com/python/cpython.git synced 2026-01-05 06:52:26 +00:00

History

Miss Islington (bot) 8dd027602d [3.13] gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) (#138263 ) gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball. Since the script does not necessarily use Python 3.14 or later (where the `"data"` filter became the default `tarfile` extraction filter), the user may theoretically suffer from a path traversal attack. Although the script should not be used in production and usually relies on downloading trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant. (cherry picked from commit `31d3836f26`) Co-authored-by: Tommaso Bona <piergeolo@gmail.com>	2025-08-30 10:49:45 +00:00
..
make_ssl_data.py	gh-58032: Do not use argparse.FileType in module CLIs and scripts (GH-113649)	2024-01-10 15:07:19 +02:00
multissltests.py	[3.13] gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) (#138263 )	2025-08-30 10:49:45 +00:00

Miss Islington (bot) 8dd027602d

[3.13] gh-138158: Use the "data" tarfile extraction filter in Tools/ssl/multissltests.py (GH-138147) (#138263 )

gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147)

The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball.
Since the script does not necessarily use Python 3.14 or later (where the `"data"`
filter became the default `tarfile` extraction filter), the user may theoretically
suffer from a path traversal attack.

Although the script should not be used in production and usually relies on downloading
trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant.
(cherry picked from commit 31d3836f26)

Co-authored-by: Tommaso Bona <piergeolo@gmail.com>

2025-08-30 10:49:45 +00:00

make_ssl_data.py gh-58032: Do not use argparse.FileType in module CLIs and scripts (GH-113649) 2024-01-10 15:07:19 +02:00

multissltests.py [3.13] gh-138158: Use the "data" tarfile extraction filter in Tools/ssl/multissltests.py (GH-138147) (#138263 ) 2025-08-30 10:49:45 +00:00