Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

main: filter out malicious files when extracting tar archives #609

Merged
merged 2 commits into from
Jul 3, 2023
Merged

main: filter out malicious files when extracting tar archives #609

merged 2 commits into from
Jul 3, 2023

Conversation

layday
Copy link
Member

@layday layday commented Apr 28, 2023

s-t-e-v-e-n-k
s-t-e-v-e-n-k reviewed May 2, 2023
View reviewed changes
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request May 19, 2023
@bmwiedemann
Update python-build to version 0.10.0 / rev 9 via SR 1085246
e1c33c6 
https://build.opensuse.org/request/show/1085246
by user mcepl + dimstar_suse
- Renamed patches support-pip-23.patch and
  support-tarfile-data-filter.patch to 589-colorized-pip23.patch
  (gh#pypa/build#589) and 609-filter-out-malicious.patch
  (gh#pypa/build#609), respectively.
- Add patch support-pip-23.patch:
  * pip 23 also colorizes output, confusing the test.
- Add patch support-tarfile-data-filter.patch:
  * Set tarfile.data_filter if available.
hroncok
hroncok reviewed Jun 13, 2023
View reviewed changes
@henryiii henryiii mentioned this pull request Jun 13, 2023
Merged
@henryiii henryiii force-pushed the feat-filter-tar-members branch from 7e65e7c to 155efd8 Compare June 13, 2023 21:27
@layday layday mentioned this pull request Jul 3, 2023
Closed
@encukou
Copy link

encukou commented Jul 3, 2023

Note that this is a behaviour change -- though I'd argue it's a minor one. See discussion on the pip issue: pypa/pip#12111

@layday layday force-pushed the feat-filter-tar-members branch from 155efd8 to d70c38a Compare July 3, 2023 14:05
@layday
Copy link
Member Author

layday commented Jul 3, 2023

Thank you - I think build being a development tool is better positioned than pip to trial the data filter. If any issues arise around permission bits, we can consider switching to the tar filter. The community's moving towards a direction where packages are defined statically, so the argument that "sdists involve arbitrary code execution" might hold less water now than it did a couple of years ago, and we should begin to see fewer "exotic" setups.

@layday layday merged commit 9a695f5 into pypa:main Jul 3, 2023
@layday layday deleted the feat-filter-tar-members branch July 3, 2023 22:49
@encukou
Copy link

encukou commented Jul 4, 2023

FWIW, I'm proposing a PEP on this: https://discuss.python.org/t/28928

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@hroncok hroncok hroncok left review comments

@henryiii henryiii henryiii approved these changes

@s-t-e-v-e-n-k s-t-e-v-e-n-k s-t-e-v-e-n-k left review comments

@FFY00 FFY00 Awaiting requested review from FFY00 FFY00 is a code owner

@gaborbernat gaborbernat Awaiting requested review from gaborbernat gaborbernat is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@layday @encukou @hroncok @henryiii @s-t-e-v-e-n-k