[3.10] gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) by jaraco · Pull Request #123426 · python/cpython (original) (raw)

@pablogsal In addition to approving/merging this security fix, I'd like your opinion.

In troubleshooting why the two new tests were failing, I learned that on Python 3.10 only, zipfile.Path.name is incorrect for names containing characters specific to the platform's file system (i.e. : and \ on Windows). Probably nobody is going to care about it, but it's conceivable it could lead to a security issue. Trivially, files that are present in the zipfile will appear to be missing on Windows, and potentially someone could craft a zipfile that could cause more serious harm, all because pathlib.Path is used to derive the .name of the path, producing invalid and unexpected results.

I can think of a few options:

• track the issue as a separate security issue and patch it separately.
• patch the issue as part of this fix, making the behavior consistent with Python 3.9 and 3.11.
• (default) disregard the concern for now, leaving out the tests that caught the concern.

How would you like me to proceed?