Skip to content

main: filter out malicious files when extracting tar archives#609

Merged
layday merged 2 commits intopypa:mainfrom
layday:feat-filter-tar-members
Jul 3, 2023
Merged

main: filter out malicious files when extracting tar archives#609
layday merged 2 commits intopypa:mainfrom
layday:feat-filter-tar-members

Conversation

@layday
Copy link
Member

@layday layday commented Apr 28, 2023

s-t-e-v-e-n-k
s-t-e-v-e-n-k reviewed May 2, 2023
View reviewed changes
s-t-e-v-e-n-k
s-t-e-v-e-n-k reviewed May 2, 2023
View reviewed changes
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request May 19, 2023
@bmwiedemann
Update python-build to version 0.10.0 / rev 9 via SR 1085246
e1c33c6 
https://build.opensuse.org/request/show/1085246
by user mcepl + dimstar_suse
- Renamed patches support-pip-23.patch and
  support-tarfile-data-filter.patch to 589-colorized-pip23.patch
  (gh#pypa/build#589) and 609-filter-out-malicious.patch
  (gh#pypa/build#609), respectively.
- Add patch support-pip-23.patch:
  * pip 23 also colorizes output, confusing the test.
- Add patch support-tarfile-data-filter.patch:
  * Set tarfile.data_filter if available.
hroncok
hroncok reviewed Jun 13, 2023
View reviewed changes
@henryiii henryiii mentioned this pull request Jun 13, 2023
Merged
@henryiii henryiii force-pushed the feat-filter-tar-members branch from 7e65e7c to 155efd8 Compare June 13, 2023 21:27
@layday layday mentioned this pull request Jul 3, 2023
Closed
layday
layday commented Jul 3, 2023
View reviewed changes
@encukou
Copy link

encukou commented Jul 3, 2023

Note that this is a behaviour change -- though I'd argue it's a minor one. See discussion on the pip issue: pypa/pip#12111

@layday layday force-pushed the feat-filter-tar-members branch from 155efd8 to d70c38a Compare July 3, 2023 14:05
@layday
Copy link
Member Author

layday commented Jul 3, 2023

Thank you - I think build being a development tool is better positioned than pip to trial the data filter. If any issues arise around permission bits, we can consider switching to the tar filter. The community's moving towards a direction where packages are defined statically, so the argument that "sdists involve arbitrary code execution" might hold less water now than it did a couple of years ago, and we should begin to see fewer "exotic" setups.

@layday layday merged commit 9a695f5 into pypa:main Jul 3, 2023
@layday layday deleted the feat-filter-tar-members branch July 3, 2023 22:49
@encukou
Copy link

encukou commented Jul 4, 2023

FWIW, I'm proposing a PEP on this: https://discuss.python.org/t/28928

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henryiii henryiii henryiii approved these changes

@FFY00 FFY00 Awaiting requested review from FFY00 FFY00 is a code owner

@gaborbernat gaborbernat Awaiting requested review from gaborbernat gaborbernat is a code owner

+2 more reviewers

@hroncok hroncok hroncok left review comments

@s-t-e-v-e-n-k s-t-e-v-e-n-k s-t-e-v-e-n-k left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@layday @encukou @hroncok @henryiii @s-t-e-v-e-n-k