gh-123270: Replaced SanitizedNames with a more surgical fix. by jaraco · Pull Request #123354 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation18 Commits1 Checks44 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Seth, I'm seeking your review on this for a couple of reasons.

It's a tweak to a security fix, so needs to be applied to the same place. Do you agree this should be applied as an amendment to the previous security fix?
It re-introduces potential vulnerabilities discussed here that were addressed by the original approach but also broke legitimate cases. Are you comfortable with more narrowly addressing the reported vulnerability (causing infinite loops) and leaving the other potential concerns to be addressed separately?

Thanks @jaraco, I'll take a look. Maybe you can clarify for me, the vulnerability only affects zipfile.Path and not zipfile.ZipFile methods using namelist, etc? If that's the case I need to update the advisory.

Thanks @jaraco, I'll take a look. Maybe you can clarify for me, the vulnerability only affects zipfile.Path and not zipfile.ZipFile methods using namelist, etc? If that's the case I need to update the advisory.

That is correct.

Thanks @jaraco for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Aug 27, 2024

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Aug 27, 2024

Sorry, @jaraco, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.11

Sorry, @jaraco, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.10

Sorry, @jaraco, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.9

Sorry, @jaraco, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.8

@jaraco Could you please drive the backports to the previous versions as well. Waiting for both the original fix and surgical fix to go together in the 3.9 and 3.12 versions

@jaraco Could you please drive the backports to the previous versions as well. Waiting for both the original fix and surgical fix to go together in the 3.9 and 3.12 versions

Yes, absolutely.

jaraco added a commit to jaraco/cpython that referenced this pull request

Aug 28, 2024

jaraco added a commit to jaraco/cpython that referenced this pull request

Aug 28, 2024

…rgical fix. (pythonGH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb)

Co-authored-by: Jason R. Coombs jaraco@jaraco.com

jaraco deleted the gh-123270/secure-allowed-names branch

August 28, 2024 13:31

jaraco added a commit to jaraco/cpython that referenced this pull request

Aug 28, 2024