gh-138158: Use the 'data' tarfile filter for multissltests
#138147
Conversation
Fix of a Path Traversal vulnerability in a test script in multissltests.py
|
All commit authors signed the Contributor License Agreement. |
This comment was marked as resolved.
This comment was marked as resolved.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
FYI These are the whitespace changes that should be reverted: 
|
Reverted the unrelated whitespace changes
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @AA-Turner: please review the changes made to this pull request. |
There was a problem hiding this comment.
This PR overcomplicates a script that is already complex. The URLs are safe as they are hardcoded. I don't think we need to worry about this kind of attack, unless upstream is affected (namely official openssl, libressl or aws-lc repositories).
Has this PR been generated by AI?
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
Remove additional whitespace Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
This commit refactors the _unpack_src function to use the filter='data' argument in tarfile.extractall(). This change addresses the path traversal vulnerability more robustly, as suggested during code review. It also improves code clarity and removes the need for manual path validation checks.
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @AA-Turner, @picnixz: please review the changes made to this pull request. |
|
I will be leaving soon and will only come back on Thursday so I won't be able to check/merge this one. |
Removed the remaining whitespace
ParzivalHack
changed the title
AA-Turner
changed the title
AA-Turner
changed the title
multissltests
This pull request addresses a path traversal vulnerability in the Tools/ssl/multissltests.py script. The vulnerability allows for a crafted tarball to write an arbitrary file to a location outside of the intended build directory due to a lack of sanitization in the _unpack_src method's handling of tarball member names.
A comprehensive, self-contained PoC script was used to demonstrate the issue (and shared with the PSRT), confirming the Path Traversal. The fix implemented in this PR ensures that each tarball member is manually extracted with a path check, preventing any file from escaping the designated directory. This approach provides a clear and robust solution to the issue.
As this is a test script, and not a production component, the Python Security Response Team (PSRT) has advised me to submitt it as a public enhancement. This fix ensures the integrity and robustness of the tool, by preventing an unprivileged file write that could lead to unexpected behavior.
I am submitting this enhancement to improve the overall quality of the CPython test suite. If necessary, I'm available to provide any additional information required for review.