rpms
/
python-build
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'i9ce'
${ noResults }
python-build/SOURCES/filter-out-malicious-files-...

79 lines
2.2 KiB
Raw Permalink Blame History

From e62a9fbd9ae519d35341dd2e972b43fb1f00b7c7 Mon Sep 17 00:00:00 2001
From: layday <layday@protonmail.com>
Date: Tue, 13 Jun 2023 12:46:09 +0200
Subject: [PATCH] filter out malicious files when extracting tar archives
---
src/build/__main__.py | 5 +++--
src/build/util.py | 16 ++++++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/build/__main__.py b/src/build/__main__.py
index 2d65720..914e0d6 100644
--- a/src/build/__main__.py
+++ b/src/build/__main__.py
@@ -9,7 +9,6 @@ import platform
import shutil
import subprocess
import sys
-import tarfile
import tempfile
import textwrap
import traceback
@@ -228,6 +227,8 @@ def build_package_via_sdist(
:param isolation: Isolate the build in a separate environment
:param skip_dependency_check: Do not perform the dependency check
"""
+ from .util import TarFile
+
if 'sdist' in distributions:
raise ValueError('Only binary distributions are allowed but sdist was specified')
@@ -238,7 +239,7 @@ def build_package_via_sdist(
sdist_out = tempfile.mkdtemp(prefix='build-via-sdist-')
built: list[str] = []
# extract sdist
- with tarfile.open(sdist) as t:
+ with TarFile.open(sdist) as t:
t.extractall(sdist_out)
try:
builder = _ProjectBuilder(os.path.join(sdist_out, sdist_name[: -len('.tar.gz')]))
diff --git a/src/build/util.py b/src/build/util.py
index 90c0028..7597667 100644
--- a/src/build/util.py
+++ b/src/build/util.py
@@ -5,7 +5,9 @@ from __future__ import annotations
import os
import pathlib
import sys
+import tarfile
import tempfile
+import typing
import pyproject_hooks
@@ -56,6 +58,20 @@ def project_wheel_metadata(
return _project_wheel_metadata(builder)
+if typing.TYPE_CHECKING:
+ TarFile = tarfile.TarFile
+
+else:
+ # Per https://peps.python.org/pep-0706/, the "data" filter will become
+ # the default in Python 3.14.
+ if sys.version_info < (3, 14) and hasattr(tarfile, 'data_filter'):
+
+ class TarFile(tarfile.TarFile):
+ extraction_filter = staticmethod(tarfile.data_filter)
+
+ else:
+ TarFile = tarfile.TarFile
+
__all__ = [
'project_wheel_metadata',
]
--
2.40.1
Reference in new issue View Git Blame Copy Permalink