https://github.com/python/cpython/commit/8dd027602dc57997a98bbb2fec3ee10473bf012f commit: 8dd027602dc57997a98bbb2fec3ee10473bf012f branch: 3.13 author: Miss Islington (bot) <[email protected]> committer: picnixz <[email protected]> date: 2025-08-30T10:49:45Z summary:
[3.13] gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) (#138263) gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball. Since the script does not necessarily use Python 3.14 or later (where the `"data"` filter became the default `tarfile` extraction filter), the user may theoretically suffer from a path traversal attack. Although the script should not be used in production and usually relies on downloading trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant. (cherry picked from commit 31d3836f26096f9503ca68f4e89d927bc1e060cd) Co-authored-by: Tommaso Bona <[email protected]> files: M Tools/ssl/multissltests.py diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index eae0e0c5e8761f..ea88a43157bdd3 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -292,7 +292,7 @@ def _unpack_src(self): raise ValueError(member.name, base) member.name = member.name[len(base):].lstrip('/') log.info("Unpacking files to {}".format(self.build_dir)) - tf.extractall(self.build_dir, members) + tf.extractall(self.build_dir, members, filter='data') def _build_src(self, config_args=()): """Now build openssl""" _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
