diff --git a/CVE-2007-4559-filter-tarfile_extractall.patch b/CVE-2007-4559-filter-tarfile_extractall.patch index 11e1e3e..9ce6bb4 100644 --- a/CVE-2007-4559-filter-tarfile_extractall.patch +++ b/CVE-2007-4559-filter-tarfile_extractall.patch @@ -13,9 +13,9 @@ Content-Transfer-Encoding: 8bit Lib/shutil.py | 17 Lib/tarfile.py | 361 +++ Lib/test/test_shutil.py | 41 - Lib/test/test_tarfile.py | 964 +++++++++- + Lib/test/test_tarfile.py | 947 +++++++++- Misc/NEWS.d/next/Library/2023-03-23-15-24-38.gh-issue-102953.YR4KaK.rst | 4 - 7 files changed, 1770 insertions(+), 98 deletions(-) + 7 files changed, 1753 insertions(+), 98 deletions(-) --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -1689,7 +1689,7 @@ Content-Transfer-Encoding: 8bit # convert to filesystem paths f_filename_1 = os.path.join(TEMPDIR, filename_1) -@@ -2870,6 +2910,890 @@ class NumericOwnerTest(unittest.TestCase +@@ -2870,6 +2910,873 @@ class NumericOwnerTest(unittest.TestCase tarfl.extract, filename_1, TEMPDIR, False, True) @@ -2018,18 +2018,6 @@ Content-Transfer-Encoding: 8bit + bio = io.BytesIO(self.contents) + return tarfile.open(fileobj=bio, **kwargs) + -+# Under WASI, `os_helper.can_symlink` is False to make -+# `skip_unless_symlink` skip symlink tests. " -+# But in the following tests we use can_symlink to *determine* which -+# behavior is expected. -+# Like other symlink tests, skip these on WASI for now. -+if support.is_wasi: -+ def symlink_test(f): -+ return unittest.skip("WASI: Skip symlink test for now")(f) -+else: -+ def symlink_test(f): -+ return f -+ + +class TestExtractionFilters(unittest.TestCase): + @@ -2140,7 +2128,6 @@ Content-Transfer-Encoding: 8bit + tarfile.AbsolutePathError, + """['"].*escaped.evil['"] has an absolute path""") + -+ @symlink_test + def test_parent_symlink(self): + # Test interplaying symlinks + # Inspired by 'dirsymlink2a' in jwilk/traversal-archives @@ -2184,7 +2171,6 @@ Content-Transfer-Encoding: 8bit + with self.check_context(arc.open(), 'data'): + self.expect_file('parent/evil') + -+ @symlink_test + def test_parent_symlink2(self): + # Test interplaying symlinks + # Inspired by 'dirsymlink2b' in jwilk/traversal-archives @@ -2219,7 +2205,6 @@ Content-Transfer-Encoding: 8bit + """'current/parent' would link to ['"].*['"], """ + + "which is outside the destination") + -+ @symlink_test + def test_absolute_symlink(self): + # Test symlink to an absolute path + # Inspired by 'dirsymlink' in jwilk/traversal-archives @@ -2249,7 +2234,6 @@ Content-Transfer-Encoding: 8bit + tarfile.AbsoluteLinkError, + "'parent' is a symlink to an absolute path") + -+ @symlink_test + def test_sly_relative0(self): + # Inspired by 'relative0' in jwilk/traversal-archives + with ArchiveMaker() as arc: @@ -2283,7 +2267,6 @@ Content-Transfer-Encoding: 8bit + + "'.*moo', which is outside " + + "the destination") + -+ @symlink_test + def test_sly_relative2(self): + # Inspired by 'relative2' in jwilk/traversal-archives + with ArchiveMaker() as arc: