Skip to content

gh-57911: Sanitize symlink targets in tarfile on win32#138309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
encukou merged 6 commits into from
Sep 5, 2025
Merged

gh-57911: Sanitize symlink targets in tarfile on win32 #138309

encukou merged 6 commits into from
Sep 5, 2025

Conversation

@wiomoc
Copy link
Contributor

@wiomocwiomoc commented Aug 31, 2025
edited by bedevere-app bot
Loading

@bedevere-appbedevere-appbot mentioned this pull request Aug 31, 2025
Closed
@wiomocwiomocforce-pushed the fix-tar-extract-symlink-win32-path branch from fac592d to 5956b5dCompareAugust 31, 2025 23:07
@wiomocwiomocforce-pushed the fix-tar-extract-symlink-win32-path branch from 5956b5d to 2ccc462CompareAugust 31, 2025 23:08
@wiomocwiomoc marked this pull request as ready for review August 31, 2025 23:34
@encukou
Copy link
Member

encukou commented Sep 1, 2025

Should this be done for hardlinks as well?

I'd prefer saying “rewrite” rather than “sanitize”, as this is not fixing unsafe input.

We should probably skip this for leading // -- that would turn symlink targets into UNC paths, where I'm not sure of the security implications, and anyway it's not something you'd find in a portable UNIX-based tarball.

@wiomoc
Copy link
ContributorAuthor

wiomoc commented Sep 1, 2025
edited
Loading

Should this be done for hardlinks as well?

This problem doesn't seam to occur when creating hardlinks:

>>>os.mkdir("tmp") >>>os.mkdir("tmp\\child") >>>open("tmp\\child\\test.txt", "w").write("hello world") 11>>>os.link("tmp/child/test.txt", "tmp/testlink.txt") >>>open("tmp\\testlink.txt").read() 'hello world'

We should probably skip this for leading // -- that would turn symlink targets into UNC paths, where I'm not sure of the security implications, and anyway it's not something you'd find in a portable UNIX-based tarball.

On the one hand, I see the risk of security implications, but I also note that in pathlib, slashes are also replaced in UNC paths.

encukou
encukou reviewed Sep 2, 2025
View reviewed changes
Copy link
Member

@encukouencukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK; re-reading the duscussion I see experts suggesting to always replace, so let's go with that.

@wiomocwiomoc requested a review from encukouSeptember 2, 2025 20:43
@encukouencukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 3, 2025
@bedevere-bot
Copy link

bedevere-bot commented Sep 3, 2025

🤖 New build scheduled with the buildbot fleet by @encukou for commit 942b6e3 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F138309%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-botbedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 3, 2025
encukou
encukou reviewed Sep 3, 2025
View reviewed changes
Misc/NEWS.d/next/Library/2025-08-31-22-10-22.gh-issue-57911.N_Ixtv.rst Outdated
Comment on lines 1 to 2
When extracting tar files on Windows Posix flavoured path separators in symlink
targets will be replaced by backward-slashes to prevent corrupted links.
Copy link
Member

@encukouencukouSep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When extracting tar files on Windows Posix flavoured path separators in symlink
targets will be replaced by backward-slashes to prevent corrupted links.
When extracting tar files on Windows, slashes in symlink
targets will be replaced by backslashes to prevent corrupted links.

@encukou
Copy link
Member

encukou commented Sep 3, 2025

Looks good! Could you also add an entry to Doc/whatsnew/3.15.rst?

@encukouencukou merged commit c1a9c23 into python:mainSep 5, 2025
45 checks passed
@encukou
Copy link
Member

encukou commented Sep 5, 2025

Thank you!

@picnixz
Copy link
Member

picnixz commented Sep 7, 2025
edited
Loading

I think this broke some buildbots: https://buildbot.python.org/#/builders/914. It wasn't detected until #138276 (which was 20h ago, but this change is 2 days ago and the previous buildbot run was 3 days ago)

@AA-Turner
Copy link
Member

AA-Turner commented Sep 7, 2025

@picnixz if you open a revert PR as draft, you could use !buildbot to check this worker & see if it passes again?

A

@picnixz
Copy link
Member

picnixz commented Sep 7, 2025

I'm not on a dev session but I'll do it tomorrow if no one beats me to it.

@wiomoc
Copy link
ContributorAuthor

wiomoc commented Sep 7, 2025

The test only fails, when running on a Windows system with disabled symlink support - therefore it didn't occure on GH actions.
I have a possible fix in #138626

lkollar pushed a commit to lkollar/cpython that referenced this pull request Sep 9, 2025
@wiomoc@lkollar
pythongh-57911: Sanitize symlink targets in tarfile on win32 (pythonG…
356a0ff
…H-138309)
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukouencukouencukou left review comments

@ethanfurmanethanfurmanAwaiting requested review from ethanfurmanethanfurman is a code owner

@AA-TurnerAA-TurnerAwaiting requested review from AA-TurnerAA-Turner is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wiomoc@encukou@bedevere-bot@picnixz@AA-Turner