From e5c92b30567448df087a9b69ba0888fa0552f8e3 Mon Sep 17 00:00:00 2001 From: Scott Talbert Date: Thu, 3 Aug 2023 16:25:07 -0400 Subject: [PATCH] Use new tarfile.extractall() filter for safer tarfile extraction The tarfile.extractall() filter argument was introduced in the most recent CPython releases (e.g., 3.11.4) to avoid potential security issues when extracting from potentially hostile tarballs. Let's use this option if it is available and provide a warning if it is now. --- build.py | 7 ++++++- wx/tools/wxget_docs_demo.py | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/build.py b/build.py index 9df36f4e..9bf99449 100755 --- a/build.py +++ b/build.py @@ -28,6 +28,7 @@ import tempfile import datetime import shlex import textwrap +import warnings try: import pathlib @@ -1403,7 +1404,11 @@ def cmd_sip(options, args): tf_name = glob.glob(tmpdir + '/*.tar*')[0] tf_dir = os.path.splitext(os.path.splitext(tf_name)[0])[0] with tarfile.open(tf_name) as tf: - tf.extractall(tmpdir) + try: + tf.extractall(tmpdir, filter='data') + except TypeError: + warnings.warn('Falling back to less safe tarfile.extractall') + tf.extractall(tmpdir) shutil.move(tf_dir, cfg.SIPINC) diff --git a/wx/tools/wxget_docs_demo.py b/wx/tools/wxget_docs_demo.py index d1d64123..0e20618e 100644 --- a/wx/tools/wxget_docs_demo.py +++ b/wx/tools/wxget_docs_demo.py @@ -33,6 +33,7 @@ import os import subprocess import webbrowser import tarfile +import warnings if sys.version_info >= (3,): from urllib.error import HTTPError import urllib.request as urllib2 @@ -84,7 +85,11 @@ def unpack_cached(cached, dest_dir): """ Unpack from the cache.""" print('Unpack', cached, 'to', dest_dir) with tarfile.open(cached, "r:*") as tf: - tf.extractall(dest_dir) + try: + tf.extractall(dest_dir, filter='data') + except TypeError: + warnings.warn('Falling back to less safe tarfile.extractall') + tf.extractall(dest_dir) dest_dir = os.listdir(dest_dir)[0] return dest_dir