tarfile.data_filter wrongly rejects some tarballs with symlinks #107845

encukou · 2023-08-10T15:34:12Z

My implementation of PEP-706 has a bug: it wrongly determines the target of symlinks, and thus wrongly raises LinkOutsideDestinationError on some valid tarballs.

I didn't pay enough attention to this quirk of the format (which I'd like to add to TarInfolinkname docs):

For symbolic links (SYMTYPE), the linkname is relative to the directory that contains the link.
For hard links (LNKTYPE), the linkname is relative to the root of the archive.

So, in a tarball that contains the following, the links point to dir/target:

dir/target
other_dir/symlink -> ../dir/target
other_dir/hardlink -> dir/target

But data_filter thinks that other_dir/symlink will point to ../dir target outside the destination directory.

I have a fix but would like to test it more next week, before merging.
Sorry for the extra work this'll cause for a lot of people :(

Linked PRs

The text was updated successfully, but these errors were encountered:

Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

…GH-107846) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

…7846) (#108211) gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

encukou · 2023-08-21T15:29:51Z

3.13 PR is merged.
3.12 PR is merged (thanks Thomas)!
Buildbots are running on the 3.11 PR: #108209
If the bots don't find any issues I'll continue with the older releases (3.10 needs adjusting tests, 3.9-3.8 doesn't apply cleanly in Git).

…7846) (GH-108209) gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

…ythonGH-107846) (pythonGH-108209) pythongh-107845: Fix symlink handling for tarfile.data_filter (pythonGH-107846) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

…7846) (#108210)

) (#108274) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

) (#108279) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

…ythonGH-107846) (python#108274) (cherry picked from commit acbd3f9) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

hugovk · 2023-11-09T22:17:23Z

Ready to close this issue?

encukou · 2023-11-13T13:11:54Z

Yes, thank you for the ping.
For reference, the affected versions, which can raise unwanted tarfile.LinkOutsideDestinationError on valid input, are:

sys.version_info[:3] in {(3, 8, 17), (3, 9, 17), (3, 10, 12), (3, 11, 4)}

…y python versions - see: python/cpython#107845

* Add test for install and standalone on windows. * Test in venv. * Skip Manager. * Fix activate command. * Update. * Update. * improve platform system determination * `DependencyCompiler`: add `reqs` parameter to `.Download` and `.Wheel` methods * refactored tarball creation/extraction to use `create_tarball`/`extract_tarball` * skip uv wheel when dehydrating standalone python on windows * small fixup to joining python standalone download url * improve parsing of reqs from reqFile * add `tarfile.data_filter` to all tar filters to address secruity audit * revert tar security fix, since `tarfile.data_filter` is busted in many python versions - see: python/cpython#107845 * add numpy<2 override on windows --------- Co-authored-by: telamonian <telamonian@users.noreply.github.com>

encukou added the type-bug An unexpected behavior, bug, or error label Aug 10, 2023

bedevere-bot mentioned this issue Aug 10, 2023

gh-107845: Fix symlink handling for tarfile.data_filter #107846

Merged

sunmy2019 added the stdlib Python modules in the Lib dir label Aug 10, 2023

encukou added 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.8 (EOL) end of life 3.12 bugs and security fixes 3.13 bugs and security fixes labels Aug 14, 2023

encukou added a commit that referenced this issue Aug 21, 2023

gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846)

acbd3f9

Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>

bedevere-bot mentioned this issue Aug 21, 2023

[3.11] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) #108209

Merged

bedevere-bot mentioned this issue Aug 21, 2023

[3.10] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) #108210

Merged

bedevere-bot mentioned this issue Aug 21, 2023

[3.12] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) #108211

Merged

bedevere-bot mentioned this issue Aug 22, 2023

[3.9] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) #108274

Merged

bedevere-bot mentioned this issue Aug 22, 2023

[3.8] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) #108279

Merged

pablogsal pushed a commit that referenced this issue Aug 22, 2023

[3.10] gh-107845: Fix symlink handling for tarfile.data_filter (GH-10…

7d44551

…7846) (#108210)

LecrisUT mentioned this issue Sep 4, 2023

Fix: build wheel workflow spglib/spglib#321

Merged

henryiii mentioned this issue Sep 5, 2023

Building with Python 3.11.4 generates tarfile.LinkOutsideDestinationError pypa/build#674

Closed

serhiy-storchaka added this to Tarfile issues Sep 10, 2023

LecrisUT mentioned this issue Sep 12, 2023

Install does not preserve symlink scikit-build/scikit-build-core#492

Closed

dimbleby mentioned this issue Nov 10, 2023

Some packages source installation break in 1.7 due to tar extraction (LinkOutsideDestinationError) python-poetry/poetry#8645

Closed

4 tasks

encukou closed this as completed Nov 13, 2023

github-project-automation bot moved this to Done in Tarfile issues Nov 13, 2023

telamonian added a commit to Comfy-Org/comfy-cli that referenced this issue Aug 30, 2024

revert tar security fix, since tarfile.data_filter is busted in man…

9a2e052

…y python versions - see: python/cpython#107845

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tarfile.data_filter wrongly rejects some tarballs with symlinks #107845

tarfile.data_filter wrongly rejects some tarballs with symlinks #107845

encukou commented Aug 10, 2023 •

edited by bedevere-bot

Loading

encukou commented Aug 21, 2023

hugovk commented Nov 9, 2023

encukou commented Nov 13, 2023

tarfile.data_filter wrongly rejects some tarballs with symlinks #107845

tarfile.data_filter wrongly rejects some tarballs with symlinks #107845

Comments

encukou commented Aug 10, 2023 • edited by bedevere-bot Loading

Linked PRs

encukou commented Aug 21, 2023

hugovk commented Nov 9, 2023

encukou commented Nov 13, 2023

encukou commented Aug 10, 2023 •

edited by bedevere-bot

Loading