bpo-41316: Make tarfile follow specs for FNAME#21511
Uh oh!
There was an error while loading. Please reload this page.
Conversation
ofek commented Jul 16, 2020
Great find! |
Uh oh!
There was an error while loading. Please reload this page.
ArtemSBulgakov commented Jul 22, 2020
@ethanfurman Could you please review changes? |
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file.
ArtemSBulgakov commented Aug 18, 2020
Anyone? |
Uh oh!
There was an error while loading. Please reload this page.
jaraco left a comment
jaraco left a comment There was a problem hiding this comment.
Can you add a test to capture the expected behavior?
bedevere-bot commented Sep 7, 2020
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
In 3948880 , I added a failing test and in 0bbaa1c, merged it with the change, demonstrating the fix. |
serhiy-storchaka added needs backport to 3.8 type-bug 
miss-islington commented Sep 7, 2020
@ArtemSBulgakov: Status check is done, and it's a failure ❌ . |
miss-islington commented Sep 7, 2020
@ArtemSBulgakov: Status check is done, and it's a success ✅ . |
miss-islington commented Sep 7, 2020
Thanks @ArtemSBulgakov for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9. |
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file. Automerge-Triggered-By: @jaraco (cherry picked from commit 22748a8) Co-authored-by: Artem Bulgakov <ArtemSBulgakov@ya.ru>
bedevere-bot commented Sep 7, 2020
GH-22140 is a backport of this pull request to the 3.9 branch. |
bedevere-bot commented Sep 7, 2020
GH-22141 is a backport of this pull request to the 3.8 branch. |
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file. Automerge-Triggered-By: @jaraco (cherry picked from commit 22748a8) Co-authored-by: Artem Bulgakov <ArtemSBulgakov@ya.ru>
* origin/master: (1373 commits) bpo-1635741: Port mashal module to multi-phase init (python#22149) bpo-1635741: Port _string module to multi-phase init (pythonGH-22148) bpo-1635741: Convert _sha256 types to heap types (pythonGH-22134) bpo-1635741: Port the termios to multi-phase init (PEP 489) (pythonGH-22139) bpo-41732: add iterator to memoryview (pythonGH-22119) bpo-40744: Drop support for SQLite pre 3.7.3 (pythonGH-20909) bpo-41316: Make tarfile follow specs for FNAME (pythonGH-21511) bpo-41720: Add "return NotImplemented" in turtle.Vec2D.__rmul__(). (pythonGH-22092) bpo-1635741 port _curses_panel to multi-phase init (PEP 489) (pythonGH-21986) bpo-1635741: Port _overlapped module to multi-phase init (pythonGH-22051) bpo-1635741: Port _opcode module to multi-phase init (PEP 489) (pythonGH-22050) bpo-1635741 port zlib module to multi-phase init (pythonGH-21995) [doc] Add link to Generic in typing (pythonGH-22125) bpo-41513: Expand comments and add references for a better understanding (pythonGH-22123) bpo-1635741: Port _sha1, _sha512, _md5 to multiphase init (pythonGH-21818) closes bpo-41723: Fix an error in the py_compile documentation. (pythonGH-22110) [doc] Fix padding in some typing definitions (pythonGH-22114) Fix documented Python version for venv --upgrade-deps (pythonGH-22113) bpo-40318: Migrate to SQLite3 trace v2 API (pythonGH-19581) bpo-41687: Fix sendfile implementation to work with Solaris (python#22040) ...
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file. Automerge-Triggered-By: @jaraco
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file. Automerge-Triggered-By: @jaraco (cherry picked from commit 22748a8) Co-authored-by: Artem Bulgakov <ArtemSBulgakov@ya.ru>
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information. RFC1952 says about FNAME: This is the original name of the file being compressed, with any directory components removed. So tarfile must remove directory names from FNAME and write only basename of file. Automerge-Triggered-By: @jaraco (cherry picked from commit 22748a8) Co-authored-by: Artem Bulgakov <ArtemSBulgakov@ya.ru>
kodonnell commented Dec 6, 2021
I hit this in 3.7 - any reason it wasn't backported? Without knowing much about @miss-islington it looks like this just needs a |
miss-islington commented Dec 6, 2021
Thanks @ArtemSBulgakov for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7. |
miss-islington commented Dec 6, 2021
Sorry @ArtemSBulgakov, I had trouble checking out the |
Python 3.7 is now in security-maintenance mode, so no new binary releases. You'll have to build the updated Python yourself. I'll try to get to the cherrypick this week if nobody else beats me to it. |
10 participants
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information.
RFC1952 says about FNAME:
This is the original name of the file being compressed, with any directory components removed.
So tarfile must remove directory names from FNAME and write only basename of file.
https://bugs.python.org/issue41316
Automerge-Triggered-By: @jaraco