Merge pull request #2443 from swt2c/safer_tar

Use new tarfile.extractall() filter for safer tarfile extraction
2025-12-16 01:30:07 +01:00 · 2023-08-04 17:28:56 -04:00
parent 82b9b5b542 e5c92b3056
commit e4fd9a3e04
2 changed files with 12 additions and 2 deletions
--- a/build.py
+++ b/build.py
@@ -28,6 +28,7 @@ import tempfile
 import datetime
 import shlex
 import textwrap
+import warnings

 try:
    import pathlib
@@ -1403,7 +1404,11 @@ def cmd_sip(options, args):
        tf_name = glob.glob(tmpdir + '/*.tar*')[0]
        tf_dir = os.path.splitext(os.path.splitext(tf_name)[0])[0]
        with tarfile.open(tf_name) as tf:
-            tf.extractall(tmpdir)
+            try:
+                tf.extractall(tmpdir, filter='data')
+            except TypeError:
+                warnings.warn('Falling back to less safe tarfile.extractall')
+                tf.extractall(tmpdir)
        shutil.move(tf_dir, cfg.SIPINC)


--- a/wx/tools/wxget_docs_demo.py
+++ b/wx/tools/wxget_docs_demo.py
@@ -33,6 +33,7 @@ import os
 import subprocess
 import webbrowser
 import tarfile
+import warnings
 if sys.version_info >= (3,):
    from urllib.error import HTTPError
    import urllib.request as urllib2
@@ -84,7 +85,11 @@ def unpack_cached(cached, dest_dir):
    """ Unpack from the cache."""
    print('Unpack', cached, 'to', dest_dir)
    with tarfile.open(cached, "r:*") as tf:
-        tf.extractall(dest_dir)
+        try:
+            tf.extractall(dest_dir, filter='data')
+        except TypeError:
+            warnings.warn('Falling back to less safe tarfile.extractall')
+            tf.extractall(dest_dir)
    dest_dir = os.listdir(dest_dir)[0]
    return dest_dir