Start using tarfile.data_filter as soon as possible

tarfile.TarFile.extraction_filter is implemented as a means of mitigating CVE-2007-4559. Officially, the extraction filters exist only since python 3.12 and the `data_filter` will become the default in python 3.14. In build.py: Many linux distributions backported this patch to earlier versions of python. Possibly other operating systems have done the same. Thus we attempt to switch to the `data_filter` regardless of version and catch the `AttributeError`. In update_clang_headers.py: Since this script is not supposed to be run by users, it is fine to expect maintainers to have a patched/new enough python for updating the clang headers.
bstaletic · Mar 7, 2024 · bcc9ac2 · bcc9ac2
1 parent 2ac34c8
commit bcc9ac2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/build.py b/build.py
@@ -20,6 +20,14 @@
 import urllib.request
 
 
+# CVE-2007-4559 mitigation. See PEP 706
+# This will be the default since python 3.14
+try:
+  tarfile.TarFile.extraction_filter = tarfile.data_filter
+except AttributeError:
+  pass
+
+
 class InstallationFailed( Exception ):
   def __init__( self, message = None, exit_code = 1 ):
     self.message = message

diff --git a/update_clang_headers.py b/update_clang_headers.py
@@ -9,6 +9,7 @@
 import tarfile
 
 
+tarfile.TarFile.extraction_filter = tarfile.data_filter
 DIR_OF_THIS_SCRIPT = os.path.dirname( os.path.abspath( __file__ ) )
 DIR_OF_THIRD_PARTY = os.path.join( DIR_OF_THIS_SCRIPT, 'third_party' )