Skip to content

[3.14] gh-138158: Use the "data" tarfile extraction filter in Tools/ssl/multissltests.py (GH-138147) #138262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 31, 2025
Merged

[3.14] gh-138158: Use the "data" tarfile extraction filter in Tools/ssl/multissltests.py (GH-138147) #138262

merged 1 commit into from
Aug 31, 2025

Conversation

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Aug 30, 2025
edited by bedevere-app bot
Loading

The Tools/ssl/multissltests.py script may extract a possibly untrusted tarball.
Since the script does not necessarily use Python 3.14 or later (where the "data"
filter became the default tarfile extraction filter), the user may theoretically
suffer from a path traversal attack.

Although the script should not be used in production and usually relies on downloading
trusted sources, the "data" extraction filter is now explicitly used wherever relevant.
(cherry picked from commit 31d3836)

Co-authored-by: Tommaso Bona [email protected]

@ParzivalHack @miss-islington
pythongh-138158: Use the "data" tarfile extraction filter in `Tools…
543557c 
…/ssl/multissltests.py` (pythonGH-138147)

The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball.
Since the script does not necessarily use Python 3.14 or later (where the `"data"`
filter became the default `tarfile` extraction filter), the user may theoretically
suffer from a path traversal attack.

Although the script should not be used in production and usually relies on downloading
trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant.
(cherry picked from commit 31d3836)

Co-authored-by: Tommaso Bona <[email protected]>
@bedevere-app bedevere-app bot mentioned this pull request Aug 30, 2025
Closed
@bedevere-app bedevere-app bot mentioned this pull request Aug 30, 2025
Merged
@hugovk hugovk merged commit b79bece into python:3.14 Aug 31, 2025
54 checks passed
kumaraditya303 pushed a commit to miss-islington/cpython that referenced this pull request Sep 9, 2025
@miss-islington @ParzivalHack @kumaraditya303
[3.14] pythongh-138158: Use the "data" tarfile extraction filter in…
b8e9bc5 
… `Tools/ssl/multissltests.py` (pythonGH-138147) (python#138262)

Co-authored-by: Tommaso Bona <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz approved these changes

@gpshead gpshead Awaiting requested review from gpshead gpshead is a code owner

Assignees

@hugovk hugovk

Labels

skip news topic-SSL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miss-islington @picnixz @hugovk @ParzivalHack