gh-149486: tarfile.data_filter: validate written link target by encukou · Pull Request #149487 · python/cpython

encukou · 2026-05-07T09:31:17Z

Issue: tarfile.data_filter doesn't handle symlinks with empty names #149486

The data filter rewrote linknames with normpath() but ran the containment check against the un-normalised value, and computed a symlink's directory before stripping trailing slashes. Both let a crafted archive create links pointing outside the destination. Also reject link members that resolve to the destination directory itself, which could otherwise replace it with a symlink and redirect all subsequent members.

miss-islington-app · 2026-05-08T12:16:10Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13, 3.14, 3.15.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

bedevere-app · 2026-05-08T12:16:25Z

GH-149553 is a backport of this pull request to the 3.15 branch.

bedevere-app · 2026-05-08T12:16:30Z

GH-149554 is a backport of this pull request to the 3.14 branch.

bedevere-app · 2026-05-08T12:16:34Z

GH-149555 is a backport of this pull request to the 3.13 branch.

bedevere-app · 2026-05-08T12:16:40Z

GH-149556 is a backport of this pull request to the 3.12 branch.

…H-149487) (GH-149553) gh-149486: tarfile.data_filter: validate written link target (GH-149487) The data filter rewrote linknames with normpath() but ran the containment check against the un-normalised value, and computed a symlink's directory before stripping trailing slashes. Both let a crafted archive create links pointing outside the destination. Also reject link members that resolve to the destination directory itself, which could otherwise replace it with a symlink and redirect all subsequent members. (cherry picked from commit 5784119) Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-149487) (GH-149554) * gh-149486: tarfile.data_filter: validate written link target (GH-149487) The data filter rewrote linknames with normpath() but ran the containment check against the un-normalised value, and computed a symlink's directory before stripping trailing slashes. Both let a crafted archive create links pointing outside the destination. Also reject link members that resolve to the destination directory itself, which could otherwise replace it with a symlink and redirect all subsequent members. (Patch by Greg; Petr's just reviewing & merging.) (cherry picked from commit 5784119) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-149487) (GH-149555) * gh-149486: tarfile.data_filter: validate written link target (GH-149487) The data filter rewrote linknames with normpath() but ran the containment check against the un-normalised value, and computed a symlink's directory before stripping trailing slashes. Both let a crafted archive create links pointing outside the destination. Also reject link members that resolve to the destination directory itself, which could otherwise replace it with a symlink and redirect all subsequent members. (Patch by Greg; Petr's just reviewing & merging.) (cherry picked from commit 5784119) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-bot · 2026-05-11T10:46:41Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Fedora Stable LTO 3.15 (tier-1) has failed when building commit 5cf47a2.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/2090/builds/16) and take a look at the build logs.
Check if the failure is related to this commit (5cf47a2) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/2090/builds/16

Failed tests:

test.test_multiprocessing_fork.test_processes

Failed subtests:

test_interrupt - test.test_multiprocessing_fork.test_processes.WithProcessesTestProcess.test_interrupt

Summary of the results of the build (if available):

==

Click to see traceback logs

Traceback (most recent call last):
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/contextlib.py", line 116, in inner
    return func(*args, **kwds)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 649, in test_interrupt
    exitcode = self._kill_process(multiprocessing.Process.interrupt)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/contextlib.py", line 116, in inner
    return func(*args, **kwds)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 630, in _kill_process
    self.assertEqual(join(), None)
                     ~~~~^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 303, in __call__
    return self.func(*args, **kwds)
           ~~~~~~~~~^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/process.py", line 156, in join
    res = self._popen.wait(timeout)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/popen_fork.py", line 44, in wait
    return self.poll(os.WNOHANG if timeout == 0.0 else 0)
           ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/popen_fork.py", line 28, in poll
    pid, sts = os.waitpid(self.pid, flag)
               ~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 626, in handler
    raise RuntimeError('join took too long: %s' % p)
RuntimeError: join took too long: <Process name='Process-157' pid=3262808 parent=3260155 started daemon>


Traceback (most recent call last):
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/contextlib.py", line 116, in inner
    return func(*args, **kwds)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 649, in test_interrupt
    exitcode = self._kill_process(multiprocessing.Process.interrupt)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/contextlib.py", line 116, in inner
    return func(*args, **kwds)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 630, in _kill_process
    self.assertEqual(join(), None)
                     ~~~~^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 303, in __call__
    return self.func(*args, **kwds)
           ~~~~~~~~~^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/process.py", line 156, in join
    res = self._popen.wait(timeout)
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/popen_fork.py", line 44, in wait
    return self.poll(os.WNOHANG if timeout == 0.0 else 0)
           ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/multiprocessing/popen_fork.py", line 28, in poll
    pid, sts = os.waitpid(self.pid, flag)
               ~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/home/buildbot-worker/cstratak-fedora-stable-x86_64/3.15.cstratak-fedora-stable-x86_64.lto/build/Lib/test/_test_multiprocessing.py", line 626, in handler
    raise RuntimeError('join took too long: %s' % p)
RuntimeError: join took too long: <Process name='Process-1' pid=3282745 parent=3282743 started daemon>

…H-149487) (#149556) * gh-149486: tarfile.data_filter: validate written link target (GH-149487) The data filter rewrote linknames with normpath() but ran the containment check against the un-normalised value, and computed a symlink's directory before stripping trailing slashes. Both let a crafted archive create links pointing outside the destination. Also reject link members that resolve to the destination directory itself, which could otherwise replace it with a symlink and redirect all subsequent members. (Patch by Greg; Petr's just reviewing & merging.) (cherry picked from commit 5784119) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> * Move dotdot_resolves_early setting to setUpClass --------- Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

StanFromIreland · 2026-06-03T14:46:49Z

Does this not need backporting to 3.11 and 3.10?

miss-islington-app · 2026-06-04T09:47:00Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-06-04T09:47:00Z

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-06-04T09:47:08Z

Sorry, @encukou, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 578411982c16f753f4893532510099ef665117da 3.10

bedevere-app · 2026-06-04T09:47:14Z

GH-150904 is a backport of this pull request to the 3.11 branch.

gpshead and others added 3 commits May 4, 2026 19:14

Add issue to blurb

95a1b3a

Merge in the main branch

3012f22

encukou requested a review from ethanfurman as a code owner May 7, 2026 09:31

bedevere-app Bot mentioned this pull request May 7, 2026

tarfile.data_filter doesn't handle symlinks with empty names #149486

Open

bedevere-app Bot added the awaiting core review label May 7, 2026

encukou added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed awaiting core review labels May 7, 2026

gpshead approved these changes May 7, 2026

View reviewed changes

bedevere-app Bot added the awaiting merge label May 7, 2026

StanFromIreland assigned StanFromIreland and unassigned StanFromIreland May 7, 2026

StanFromIreland added the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label May 7, 2026

encukou merged commit 5784119 into python:main May 8, 2026
69 checks passed

encukou deleted the tarfile-validate-written-link-target branch May 8, 2026 12:16

bedevere-app Bot removed the awaiting merge label May 8, 2026

bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label May 8, 2026

bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label May 8, 2026

bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label May 8, 2026

bedevere-app Bot removed the needs backport to 3.12 only security fixes label May 8, 2026

encukou added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Jun 4, 2026

miss-islington-app Bot assigned encukou Jun 4, 2026

bedevere-app Bot removed the needs backport to 3.11 only security fixes label Jun 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gh-149486: tarfile.data_filter: validate written link target#149487

gh-149486: tarfile.data_filter: validate written link target#149487
encukou merged 3 commits into
python:mainfrom
encukou:tarfile-validate-written-link-target

encukou commented May 7, 2026 •

edited by bedevere-app Bot

Loading

Uh oh!

Uh oh!

miss-islington-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-bot commented May 11, 2026

Uh oh!

StanFromIreland commented Jun 3, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

bedevere-app Bot commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

encukou commented May 7, 2026 • edited by bedevere-app Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

miss-islington-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-app Bot commented May 8, 2026

Uh oh!

bedevere-bot commented May 11, 2026

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Uh oh!

StanFromIreland commented Jun 3, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

miss-islington-app Bot commented Jun 4, 2026

Uh oh!

bedevere-app Bot commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

encukou commented May 7, 2026 •

edited by bedevere-app Bot

Loading