Skip to content

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Jun 3, 2025
Merged

gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037

merged 20 commits into from
Jun 3, 2025
+966 −169

Conversation

ambv
Copy link
Contributor

@ambv ambv commented Jun 2, 2025
edited by encukou
Loading

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

[edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit messages.

Co-authored-by: Petr Viktorin encukou@gmail.com
Signed-off-by: Łukasz Langa lukasz@langa.pl

📚 Documentation preview 📚: https://cpython-previews--135037.org.readthedocs.build/

@ambv @encukou
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
0c16f5f 
…path(strict='allow_missing')`

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
@ambv ambv requested a review from ethanfurman as a code owner June 2, 2025 16:24
@bedevere-app bedevere-app bot mentioned this pull request Jun 2, 2025
Closed
@serhiy-storchaka
Copy link
Member

See also #71189.

AA-Turner
AA-Turner reviewed Jun 2, 2025
View reviewed changes
ambv and others added 3 commits June 2, 2025 22:10
@ambv @AA-Turner
Fix invalid parent directory unwinding in test
fd5ba13 
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
@ambv
Make tests more chatty
aeebdc8
@ambv
Use a better skip
f5544e6
encukou
encukou reviewed Jun 2, 2025
View reviewed changes
encukou
encukou reviewed Jun 2, 2025
View reviewed changes
@encukou
Copy link
Member

encukou commented Jun 2, 2025

See also #71189.

To align with this, there'd be a ntpath.ALLOW_MISSING singleton rather than an 'allow_missing' string.
That's possible, of course. It can catch typos. But I don't think it's worth having to import an extra name.

@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @encukou for commit 5af66c6 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135037%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 2, 2025
@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jun 3, 2025
@miss-islington-app
Copy link

Thanks @ambv for the PR, and @Yhg1s for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry, @ambv and @Yhg1s, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3612d8f51741b11f36f8fb0494d79086bac9390a 3.14

@miss-islington-app
Copy link

Sorry, @ambv and @Yhg1s, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3612d8f51741b11f36f8fb0494d79086bac9390a 3.13

Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.13] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
2637f45 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135064 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jun 3, 2025
ambv added a commit to ambv/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
553d40f 
…path(strict='allow_missing')` (python#135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 3612d8f)
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135065 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jun 3, 2025
Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.12] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
c358142 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135066 is a backport of this pull request to the 3.12 branch.

Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.11] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
371b4ea 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135068 is a backport of this pull request to the 3.11 branch.

Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.10] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
4d959a0 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)
(cherry picked from commit 371b4ea)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135070 is a backport of this pull request to the 3.10 branch.

ambv added a commit that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka
[3.14] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
9e0ac76 
…lpath(strict='allow_missing')` (gh-135037) (gh-135065)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

(cherry picked from commit 3612d8f)

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.9] pythongh-135034: Normalize link targets in tarfile, add `os.pat…
a12f367 
…h.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Yhg1s pushed a commit to Yhg1s/cpython that referenced this pull request Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.9] pythongh-135034: Normalize link targets in tarfile, add `os.pat…
ab834f4 
…h.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

GH-135084 is a backport of this pull request to the 3.9 branch.

ambv added a commit that referenced this pull request Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.13] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
aa9eb5f 
…lpath(strict='allow_missing')` (GH-135037) (GH-135064)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this pull request Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.12] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
19de092 
…lpath(strict='allow_missing')` (GH-135037) (GH-135066)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this pull request Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.11] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
4633f3f 
…lpath(strict='allow_missing')` (GH-135037) (GH-135068)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this pull request Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.10] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
9c1110e 
…lpath(strict='allow_missing')` (GH-135037) (#135070)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)
(cherry picked from commit 371b4ea)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this pull request Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.9] gh-135034: Normalize link targets in tarfile, add `os.path.real…
dd8f187 
…path(strict='allow_missing')` (GH-135037) (GH-135084)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This was referenced Jun 4, 2025
Closed
Closed
@encukou
Copy link
Member

encukou commented Jun 4, 2025

This does fix CVE-2025-4435. Sorry for leaving that out of the commit message.

(Thanks @stratakis for asking!)

This was referenced Jun 4, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@encukou encukou encukou left review comments

@AA-Turner AA-Turner AA-Turner left review comments

@ethanfurman ethanfurman Awaiting requested review from ethanfurman ethanfurman is a code owner

Assignees

@Yhg1s Yhg1s

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ambv @serhiy-storchaka @encukou @bedevere-bot @AA-Turner @Yhg1s @sethmlarson