gh-123270: Replaced SanitizedNames with a more surgical fix.

[jaraco]

Applies changes from zipp 3.20.1 and jaraco/zipp#124

• Issue: zipfile.Path regression #123270

• Original issue: Malformed payload can lead to infinite loops in zipfile.Path #122905

[jaraco]

Seth, I'm seeking your review on this for a couple of reasons.

1. It's a tweak to a security fix, so needs to be applied to the same place. Do you agree this should be applied as an amendment to the previous security fix?

2. It re-introduces potential vulnerabilities discussed here that were addressed by the original approach but also broke legitimate cases. Are you comfortable with more narrowly addressing the reported vulnerability (causing infinite loops) and leaving the other potential concerns to be addressed separately?

[sethmlarson]

Thanks @jaraco, I'll take a look. Maybe you can clarify for me, the vulnerability only affects zipfile.Path and not zipfile.ZipFile methods using namelist, etc? If that's the case I need to update the advisory.

[obfusk]

Maybe you can clarify for me, the vulnerability only affects zipfile.Path and not zipfile.ZipFile methods using namelist, etc? If that's the case I need to update the advisory.

FYI I wrote about that here: https://www.openwall.com/lists/oss-security/2024/08/23/2

[jaraco]

Thanks @jaraco, I'll take a look. Maybe you can clarify for me, the vulnerability only affects zipfile.Path and not zipfile.ZipFile methods using namelist, etc? If that's the case I need to update the advisory.

That is correct.

[miss-islington-app]

Thanks @jaraco for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

[bedevere-app]

GH-123410 is a backport of this pull request to the 3.13 branch.

[miss-islington-app]

Sorry, @jaraco, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.11

[bedevere-app]

GH-123411 is a backport of this pull request to the 3.12 branch.

[miss-islington-app]

Sorry, @jaraco, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.10

[miss-islington-app]

Sorry, @jaraco, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.9

[miss-islington-app]

Sorry, @jaraco, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 2231286d78d328c2f575e0b05b16fe447d1656d6 3.8

[sindhu-karri]

@jaraco Could you please drive the backports to the previous versions as well. Waiting for both the original fix and surgical fix to go together in the 3.9 and 3.12 versions

[jaraco]

@jaraco Could you please drive the backports to the previous versions as well. Waiting for both the original fix and surgical fix to go together in the 3.9 and 3.12 versions

Yes, absolutely.

[bedevere-app]

GH-123425 is a backport of this pull request to the 3.11 branch.

[bedevere-app]

GH-123426 is a backport of this pull request to the 3.10 branch.

[jaraco]

Unfortunately, I can't complete a backport to 3.8 or 3.9 because the diff depends on other PRs not yet merged:

• [3.9] gh-122905: Sanitize names in zipfile.Path. (GH-122906) #123161
• [3.8] gh-122905: Sanitize names in zipfile.Path. (GH-122906) #123162

I guess I could hand-resolve the combination of the two, but I feel a little uneasy doing that.

[bedevere-app]

GH-123432 is a backport of this pull request to the 3.9 branch.

[bedevere-app]

GH-123433 is a backport of this pull request to the 3.8 branch.