Merge pull request #7295 from pmisik/PEP706_Filter4Tarfile

Improve security of tarfile extraction addressed by PEP 706
buildbot · Dec 20, 2023 · 7b99502 · 7b99502
2 parents f0d8e79 + 180a490
commit 7b99502
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/master/buildbot/process/remotetransfer.py b/master/buildbot/process/remotetransfer.py
@@ -126,7 +126,10 @@ def remote_unpack(self):
 
         # Unpack archive and clean up after self
         with tarfile.open(name=self.tarname, mode=mode) as archive:
-            archive.extractall(path=self.destroot)
+            if hasattr(tarfile, 'data_filter'):
+                archive.extractall(path=self.destroot, filter='data')
+            else:
+                archive.extractall(path=self.destroot)
         os.remove(self.tarname)
 
 

diff --git a/master/buildbot/test/integration/test_upgrade.py b/master/buildbot/test/integration/test_upgrade.py
@@ -77,7 +77,10 @@ def setUpUpgradeTest(self):
             with tarfile.open(tarball) as tf:
                 prefixes = set()
                 for inf in tf:
-                    tf.extract(inf)
+                    if hasattr(tarfile, 'data_filter'):
+                        tf.extract(inf, filter='data')
+                    else:
+                        tf.extract(inf)
                     prefixes.add(inf.name.split('/', 1)[0])
 
             # get the top-level dir from the tarball

diff --git a/newsfragments/tarfile-pep706.bugfix b/newsfragments/tarfile-pep706.bugfix
@@ -0,0 +1 @@
+Improved security of tarfile extraction to help avoid CVE-2007-4559. See more details in https://peps.python.org/pep-0706/. Buildbot uses filter='data' now. (:issue:`7294`)