Skip to content

[CVE-2025-4435] tarfile still extracts problematic files when filter is set and errorlevel is 0 #112887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ChuckWoodraska opened this issue Dec 8, 2023 · 1 comment
Closed

[CVE-2025-4435] tarfile still extracts problematic files when filter is set and errorlevel is 0 #112887

ChuckWoodraska opened this issue Dec 8, 2023 · 1 comment
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@ChuckWoodraska
Copy link

ChuckWoodraska commented Dec 8, 2023
edited by bedevere-app bot
Loading

Bug report

Bug description:

From the docs https://docs.python.org/3.11/library/tarfile.html#tarfile.data_filter it sounds like setting errorlevel to 0 and having a filter should logged that the offending member was skipped and continue extraction. It looks like it actually logs the filter error and extracts the offending member. The below code shows the filtererror and the extraction.

From the docs: When a filter refuses to extract a file, it will raise an appropriate exception, a subclass of FilterError. This will abort the extraction if TarFile.errorlevel is 1 or more. With errorlevel=0 the error will be logged and the member will be skipped, but extraction will continue.

I was expecting it to tell me the file it skipped and not have any extraction with the given code.

import tarfile

with open('test.txt', 'w') as f:
    f.write('Hello')

with tarfile.open('my_archive.tar', 'w:xz') as tar:
    tar.add('test.txt', arcname='../test.txt')

with tarfile.open("my_archive.tar") as tar:
    tar.debug = True
    tar.errorlevel = 0
    print(tar.errorlevel)

    tar.extractall(filter="data")

CPython versions tested on:

3.11

Operating systems tested on:

macOS

Linked PRs
@ChuckWoodraska ChuckWoodraska added the type-bug An unexpected behavior, bug, or error label Dec 8, 2023
@AlexWaygood AlexWaygood added the stdlib Python modules in the Lib dir label Dec 8, 2023
@bedevere-app bedevere-app bot mentioned this issue Dec 11, 2023
Closed
@encukou encukou changed the title tarfile still extracts problematic files when filter is set and errorlevel is 0 [CVE-2025-4435] tarfile still extracts problematic files when filter is set and errorlevel is 0 Jun 4, 2025
@encukou
Copy link
Member

encukou commented Jun 4, 2025

This became CVE-2025-4435.
Thank you for reporting it!

Fixed in #135037 and backported to all maintained branches.

@encukou encukou closed this as completed Jun 4, 2025
@AA-Turner AA-Turner added the type-security A security issue label Jun 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Tarfile issues
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@encukou @ChuckWoodraska @AA-Turner @AlexWaygood