-
Notifications
You must be signed in to change notification settings - Fork 692
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
- Loading branch information
Showing
2 changed files
with
128 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| From ee9f40523d9766f43ddf2c69a4b610dd09668375 Mon Sep 17 00:00:00 2001 | ||
| From: "Jason R. Coombs" <jaraco@jaraco.com> | ||
| Date: Sun, 11 Aug 2024 19:48:50 -0400 | ||
| Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906) | ||
|
|
||
| Ported from zipp 3.19.1; ref jaraco/zippGH-119. | ||
| (cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) | ||
|
|
||
| Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | ||
| --- | ||
| Lib/test/test_zipfile/_path/test_path.py | 17 +++++ | ||
| Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++- | ||
| ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 + | ||
| 3 files changed, 81 insertions(+), 1 deletion(-) | ||
| create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | ||
|
|
||
| diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py | ||
| index 06d5aab69bd6d4..90885dbbe39b92 100644 | ||
| --- a/Lib/test/test_zipfile/_path/test_path.py | ||
| +++ b/Lib/test/test_zipfile/_path/test_path.py | ||
| @@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep): | ||
| zipfile.Path(alpharep) | ||
| with self.assertRaises(KeyError): | ||
| alpharep.getinfo('does-not-exist') | ||
| + | ||
| + def test_malformed_paths(self): | ||
| + """ | ||
| + Path should handle malformed paths. | ||
| + """ | ||
| + data = io.BytesIO() | ||
| + zf = zipfile.ZipFile(data, "w") | ||
| + zf.writestr("/one-slash.txt", b"content") | ||
| + zf.writestr("//two-slash.txt", b"content") | ||
| + zf.writestr("../parent.txt", b"content") | ||
| + zf.filename = '' | ||
| + root = zipfile.Path(zf) | ||
| + assert list(map(str, root.iterdir())) == [ | ||
| + 'one-slash.txt', | ||
| + 'two-slash.txt', | ||
| + 'parent.txt', | ||
| + ] | ||
| diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py | ||
| index 78c413563bb2b1..42f9fded21198e 100644 | ||
| --- a/Lib/zipfile/_path/__init__.py | ||
| +++ b/Lib/zipfile/_path/__init__.py | ||
| @@ -83,7 +83,69 @@ def __setstate__(self, state): | ||
| super().__init__(*args, **kwargs) | ||
|
|
||
|
|
||
| -class CompleteDirs(InitializedState, zipfile.ZipFile): | ||
| +class SanitizedNames: | ||
| + """ | ||
| + ZipFile mix-in to ensure names are sanitized. | ||
| + """ | ||
| + | ||
| + def namelist(self): | ||
| + return list(map(self._sanitize, super().namelist())) | ||
| + | ||
| + @staticmethod | ||
| + def _sanitize(name): | ||
| + r""" | ||
| + Ensure a relative path with posix separators and no dot names. | ||
| + | ||
| + Modeled after | ||
| + https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 | ||
| + but provides consistent cross-platform behavior. | ||
| + | ||
| + >>> san = SanitizedNames._sanitize | ||
| + >>> san('/foo/bar') | ||
| + 'foo/bar' | ||
| + >>> san('//foo.txt') | ||
| + 'foo.txt' | ||
| + >>> san('foo/.././bar.txt') | ||
| + 'foo/bar.txt' | ||
| + >>> san('foo../.bar.txt') | ||
| + 'foo../.bar.txt' | ||
| + >>> san('\\foo\\bar.txt') | ||
| + 'foo/bar.txt' | ||
| + >>> san('D:\\foo.txt') | ||
| + 'D/foo.txt' | ||
| + >>> san('\\\\server\\share\\file.txt') | ||
| + 'server/share/file.txt' | ||
| + >>> san('\\\\?\\GLOBALROOT\\Volume3') | ||
| + '?/GLOBALROOT/Volume3' | ||
| + >>> san('\\\\.\\PhysicalDrive1\\root') | ||
| + 'PhysicalDrive1/root' | ||
| + | ||
| + Retain any trailing slash. | ||
| + >>> san('abc/') | ||
| + 'abc/' | ||
| + | ||
| + Raises a ValueError if the result is empty. | ||
| + >>> san('../..') | ||
| + Traceback (most recent call last): | ||
| + ... | ||
| + ValueError: Empty filename | ||
| + """ | ||
| + | ||
| + def allowed(part): | ||
| + return part and part not in {'..', '.'} | ||
| + | ||
| + # Remove the drive letter. | ||
| + # Don't use ntpath.splitdrive, because that also strips UNC paths | ||
| + bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) | ||
| + clean = bare.replace('\\', '/') | ||
| + parts = clean.split('/') | ||
| + joined = '/'.join(filter(allowed, parts)) | ||
| + if not joined: | ||
| + raise ValueError("Empty filename") | ||
| + return joined + '/' * name.endswith('/') | ||
| + | ||
| + | ||
| +class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): | ||
| """ | ||
| A ZipFile subclass that ensures that implied directories | ||
| are always included in the namelist. | ||
| diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | ||
| new file mode 100644 | ||
| index 00000000000000..1be44c906c4f30 | ||
| --- /dev/null | ||
| +++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | ||
| @@ -0,0 +1 @@ | ||
| +:class:`zipfile.Path` objects now sanitize names from the zipfile. |