Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

main: filter out malicious files when extracting tar archives #609

Merged
merged 2 commits into from
Jul 3, 2023
Merged

main: filter out malicious files when extracting tar archives #609

merged 2 commits into from
Jul 3, 2023

Conversation

layday
Copy link
Member

@layday layday commented Apr 28, 2023

s-t-e-v-e-n-k
s-t-e-v-e-n-k reviewed May 2, 2023
View reviewed changes
src/build/_util.py Outdated Show resolved Hide resolved
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request May 19, 2023
@bmwiedemann
Update python-build to version 0.10.0 / rev 9 via SR 1085246
e1c33c6 
https://build.opensuse.org/request/show/1085246
by user mcepl + dimstar_suse
- Renamed patches support-pip-23.patch and
  support-tarfile-data-filter.patch to 589-colorized-pip23.patch
  (gh#pypa/build#589) and 609-filter-out-malicious.patch
  (gh#pypa/build#609), respectively.
- Add patch support-pip-23.patch:
  * pip 23 also colorizes output, confusing the test.
- Add patch support-tarfile-data-filter.patch:
  * Set tarfile.data_filter if available.
hroncok
hroncok reviewed Jun 13, 2023
View reviewed changes
src/build/_util.py Outdated Show resolved Hide resolved
@henryiii henryiii mentioned this pull request Jun 13, 2023
Merged
@layday layday mentioned this pull request Jul 3, 2023
Closed
@encukou
Copy link

encukou commented Jul 3, 2023

Note that this is a behaviour change -- though I'd argue it's a minor one. See discussion on the pip issue: pypa/pip#12111

@layday
Copy link
Member Author

layday commented Jul 3, 2023

Thank you - I think build being a development tool is better positioned than pip to trial the data filter. If any issues arise around permission bits, we can consider switching to the tar filter. The community's moving towards a direction where packages are defined statically, so the argument that "sdists involve arbitrary code execution" might hold less water now than it did a couple of years ago, and we should begin to see fewer "exotic" setups.

@layday layday merged commit 9a695f5 into pypa:main Jul 3, 2023
62 checks passed
@layday layday deleted the feat-filter-tar-members branch July 3, 2023 22:49
@encukou
Copy link

encukou commented Jul 4, 2023

FWIW, I'm proposing a PEP on this: https://discuss.python.org/t/28928

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hroncok hroncok hroncok left review comments

@henryiii henryiii henryiii approved these changes

@s-t-e-v-e-n-k s-t-e-v-e-n-k s-t-e-v-e-n-k left review comments

@FFY00 FFY00 Awaiting requested review from FFY00 FFY00 is a code owner

@gaborbernat gaborbernat Awaiting requested review from gaborbernat gaborbernat is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@layday @encukou @hroncok @henryiii @s-t-e-v-e-n-k