https://github.com/python/cpython/commit/31d3836f26096f9503ca68f4e89d927bc1e060cd
commit: 31d3836f26096f9503ca68f4e89d927bc1e060cd
branch: main
author: Tommaso Bona <[email protected]>
committer: picnixz <[email protected]>
date: 2025-08-30T12:27:32+02:00
summary:
gh-138158: Use the `"data"` tarfile extraction filter in
`Tools/ssl/multissltests.py` (#138147)
The `Tools/ssl/multissltests.py` script may extract a possibly untrusted
tarball.
Since the script does not necessarily use Python 3.14 or later (where the
`"data"`
filter became the default `tarfile` extraction filter), the user may
theoretically
suffer from a path traversal attack.
Although the script should not be used in production and usually relies on
downloading
trusted sources, the `"data"` extraction filter is now explicitly used wherever
relevant.
files:
M Tools/ssl/multissltests.py
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index e632adafaaa0a0..c0559446982eab 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -306,7 +306,7 @@ def _unpack_src(self):
raise ValueError(member.name, base)
member.name = member.name[len(base):].lstrip('/')
log.info("Unpacking files to {}".format(self.build_dir))
- tf.extractall(self.build_dir, members)
+ tf.extractall(self.build_dir, members, filter='data')
def _build_src(self, config_args=()):
"""Now build openssl"""
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
