Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-122905: Sanitize names in zipfile.Path. #122906

Merged

Conversation

jaraco
Copy link
Member

@jaraco jaraco commented Aug 11, 2024

@jaraco
Copy link
Member Author

jaraco commented Aug 11, 2024

This behavior has been published in jaraco/zipp since 2024-05-31, so I'm confident it's stable.

@jaraco jaraco merged commit 9cd0326 into python:main Aug 11, 2024
40 checks passed
@miss-islington-app
Copy link

Thanks @jaraco for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

@jaraco jaraco deleted the bugfix/122905-malformed-zipfile-path-inputs branch August 11, 2024 23:48
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 11, 2024
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 11, 2024

GH-122922 is a backport of this pull request to the 3.13 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 11, 2024
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Aug 11, 2024
@bedevere-app
Copy link

bedevere-app bot commented Aug 11, 2024

GH-122923 is a backport of this pull request to the 3.12 branch.

@miss-islington-app
Copy link

Sorry, @jaraco, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9cd03263100ddb1657826cc4a71470786cab3932 3.11

@bedevere-app bedevere-app bot removed the needs backport to 3.12 bug and security fixes label Aug 11, 2024
@miss-islington-app
Copy link

Sorry, @jaraco, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9cd03263100ddb1657826cc4a71470786cab3932 3.10

@miss-islington-app
Copy link

Sorry, @jaraco, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9cd03263100ddb1657826cc4a71470786cab3932 3.9

@miss-islington-app
Copy link

Sorry, @jaraco, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9cd03263100ddb1657826cc4a71470786cab3932 3.8

jaraco added a commit to jaraco/cpython that referenced this pull request Aug 12, 2024
Ported from zipp 3.19.1; ref jaraco/zipp#119.

(cherry picked from commit 9cd0326)
jaraco added a commit to jaraco/cpython that referenced this pull request Aug 12, 2024
)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 12, 2024

GH-122925 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Aug 12, 2024
@jaraco
Copy link
Member Author

jaraco commented Aug 12, 2024

I've proposed the backport to 3.11. I'm hoping to cherrypick that to 3.10 and earlier, assuming it's accepted, rather that cherry-picking the change in main and re-reconciling the conflicts.

pablogsal pushed a commit that referenced this pull request Aug 19, 2024
* gh-122905: Sanitize names in zipfile.Path. (#122906)

Ported from zipp 3.19.1; ref jaraco/zipp#119.

(cherry picked from commit 9cd0326)

* [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco added a commit to jaraco/cpython that referenced this pull request Aug 19, 2024
…nGH-122906) (pythonGH-122925)

* pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco added a commit to jaraco/cpython that referenced this pull request Aug 19, 2024
…GH-122906) (pythonGH-122925)

* pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 19, 2024

GH-123161 is a backport of this pull request to the 3.9 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.9 only security fixes label Aug 19, 2024
@bedevere-app
Copy link

bedevere-app bot commented Aug 19, 2024

GH-123162 is a backport of this pull request to the 3.8 branch.

@bedevere-app
Copy link

bedevere-app bot commented Aug 19, 2024

GH-123160 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Aug 19, 2024
blhsing pushed a commit to blhsing/cpython that referenced this pull request Aug 22, 2024
@jaraco
Copy link
Member Author

jaraco commented Aug 22, 2024

That's weird - all three backports (3.8, 3.9, 3.10) are failing on the macos runners, two of them with segmentation faults. I'm 99.9% certain these changes aren't directly implicated. I've restarted the runners to see if maybe that clears things up, but there seems to be some stability issues on those branches.

pablogsal pushed a commit that referenced this pull request Aug 22, 2024
[3.10] [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (GH-122925)

* gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)
@obfusk
Copy link
Contributor

obfusk commented Aug 23, 2024

This introduced a regression: #123270.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Malformed payload can lead to infinite loops in zipfile.Path
3 participants