From eff4e88d2cc01d60a8ad03108f0d5691bde0e976 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 6 Jun 2023 15:29:06 +0200
Subject: [PATCH] python:safe_tarfile: Set extraction_filter for pythons
 providing it

It should be available for Python >= 3.11.4 but also has been
backported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8c90c66a9a409d807dad56822540509c9813425b)
---
 python/samba/safe_tarfile.py | 36 ++++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/python/samba/safe_tarfile.py b/python/samba/safe_tarfile.py
index cc19770d73f..164bb0b31fe 100644
--- a/python/samba/safe_tarfile.py
+++ b/python/samba/safe_tarfile.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
+import tarfile
 from tarfile import ExtractError, TarInfo, TarFile as UnsafeTarFile
 
 
@@ -24,20 +25,27 @@ class TarFile(UnsafeTarFile):
     using '../../'.
     """
 
-    def extract(self, member, path="", set_attrs=True, *, numeric_owner=False):
-        if isinstance(member, TarInfo):
-            name = member.name
-        else:
-            name = member
-
-        if '../' in name:
-            raise ExtractError(f"'../' is not allowed in path '{name}'")
-
-        if name.startswith('/'):
-            raise ExtractError(f"path '{name}' should not start with '/'")
-
-        super().extract(member, path, set_attrs=set_attrs,
-                        numeric_owner=numeric_owner)
+    try:
+        # New in version 3.11.4 (also has been backported)
+        # https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extraction_filter
+        # https://peps.python.org/pep-0706/
+        extraction_filter = staticmethod(tarfile.data_filter)
+    except AttributeError:
+        def extract(self, member, path="", set_attrs=True, *,
+                    numeric_owner=False):
+            if isinstance(member, TarInfo):
+                name = member.name
+            else:
+                name = member
+
+            if '../' in name:
+                raise ExtractError(f"'../' is not allowed in path '{name}'")
+
+            if name.startswith('/'):
+                raise ExtractError(f"path '{name}' should not start with '/'")
+
+            super().extract(member, path, set_attrs=set_attrs,
+                            numeric_owner=numeric_owner)
 
 
 open = TarFile.open
-- 
2.47.3