Skip to content

gh-57911: Sanitize symlink targets in tarfile on win32 #138309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 5, 2025
Merged

gh-57911: Sanitize symlink targets in tarfile on win32 #138309

merged 6 commits into from
Sep 5, 2025

Conversation

wiomoc
Copy link
Contributor

@wiomoc wiomoc commented Aug 31, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Aug 31, 2025
Closed
@wiomoc wiomoc force-pushed the fix-tar-extract-symlink-win32-path branch from fac592d to 5956b5d Compare August 31, 2025 23:07
@wiomoc wiomoc force-pushed the fix-tar-extract-symlink-win32-path branch from 5956b5d to 2ccc462 Compare August 31, 2025 23:08
@wiomoc wiomoc marked this pull request as ready for review August 31, 2025 23:34
@wiomoc wiomoc requested a review from ethanfurman as a code owner August 31, 2025 23:34
@encukou
Copy link
Member

encukou commented Sep 1, 2025

Should this be done for hardlinks as well?

I'd prefer saying “rewrite” rather than “sanitize”, as this is not fixing unsafe input.

We should probably skip this for leading // -- that would turn symlink targets into UNC paths, where I'm not sure of the security implications, and anyway it's not something you'd find in a portable UNIX-based tarball.

@wiomoc
Copy link
Contributor Author

wiomoc commented Sep 1, 2025
edited
Loading

Should this be done for hardlinks as well?

This problem doesn't seam to occur when creating hardlinks:

>>> os.mkdir("tmp")
>>> os.mkdir("tmp\\child")
>>> open("tmp\\child\\test.txt", "w").write("hello world")
11
>>> os.link("tmp/child/test.txt", "tmp/testlink.txt")
>>> open("tmp\\testlink.txt").read()
'hello world'

We should probably skip this for leading // -- that would turn symlink targets into UNC paths, where I'm not sure of the security implications, and anyway it's not something you'd find in a portable UNIX-based tarball.

On the one hand, I see the risk of security implications, but I also note that in pathlib, slashes are also replaced in UNC paths.

encukou
encukou reviewed Sep 2, 2025
View reviewed changes
Copy link
Member

@encukou encukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK; re-reading the duscussion I see experts suggesting to always replace, so let's go with that.

@wiomoc wiomoc requested a review from encukou September 2, 2025 20:43
@encukou encukou added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 3, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @encukou for commit 942b6e3 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F138309%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Sep 3, 2025
encukou
encukou reviewed Sep 3, 2025
View reviewed changes
Misc/NEWS.d/next/Library/2025-08-31-22-10-22.gh-issue-57911.N_Ixtv.rst Outdated
Comment on lines 1 to 2
When extracting tar files on Windows Posix flavoured path separators in symlink
targets will be replaced by backward-slashes to prevent corrupted links.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When extracting tar files on Windows Posix flavoured path separators in symlink
targets will be replaced by backward-slashes to prevent corrupted links.
When extracting tar files on Windows, slashes in symlink
targets will be replaced by backslashes to prevent corrupted links.

@encukou
Copy link
Member

encukou commented Sep 3, 2025

Looks good! Could you also add an entry to Doc/whatsnew/3.15.rst?

@wiomoc wiomoc requested a review from AA-Turner as a code owner September 3, 2025 15:39
@encukou encukou merged commit c1a9c23 into python:main Sep 5, 2025
45 checks passed
@encukou
Copy link
Member

encukou commented Sep 5, 2025

Thank you!

@picnixz
Copy link
Member

picnixz commented Sep 7, 2025
edited
Loading

I think this broke some buildbots: https://buildbot.python.org/#/builders/914. It wasn't detected until #138276 (which was 20h ago, but this change is 2 days ago and the previous buildbot run was 3 days ago)

@AA-Turner
Copy link
Member

@picnixz if you open a revert PR as draft, you could use !buildbot to check this worker & see if it passes again?

A

@picnixz
Copy link
Member

picnixz commented Sep 7, 2025

I'm not on a dev session but I'll do it tomorrow if no one beats me to it.

@wiomoc
Copy link
Contributor Author

wiomoc commented Sep 7, 2025

The test only fails, when running on a Windows system with disabled symlink support - therefore it didn't occure on GH actions.
I have a possible fix in #138626

lkollar pushed a commit to lkollar/cpython that referenced this pull request Sep 9, 2025
@wiomoc @lkollar
pythongh-57911: Sanitize symlink targets in tarfile on win32 (pythonG…
356a0ff 
…H-138309)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukou encukou encukou left review comments

@ethanfurman ethanfurman Awaiting requested review from ethanfurman ethanfurman is a code owner

@AA-Turner AA-Turner Awaiting requested review from AA-Turner AA-Turner is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wiomoc @encukou @bedevere-bot @picnixz @AA-Turner