From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Sat, 30 Aug 2025 10:49:45 +0000 (+0200)
Subject: [3.13] gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multisslte... 
X-Git-Tag: v3.13.8~140
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8dd027602dc57997a98bbb2fec3ee10473bf012f;p=thirdparty%2FPython%2Fcpython.git

[3.13] gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147) (#138263)

gh-138158: Use the `"data"` tarfile extraction filter in `Tools/ssl/multissltests.py` (GH-138147)

The `Tools/ssl/multissltests.py` script may extract a possibly untrusted tarball.
Since the script does not necessarily use Python 3.14 or later (where the `"data"`
filter became the default `tarfile` extraction filter), the user may theoretically
suffer from a path traversal attack.

Although the script should not be used in production and usually relies on downloading
trusted sources, the `"data"` extraction filter is now explicitly used wherever relevant.
(cherry picked from commit 31d3836f26096f9503ca68f4e89d927bc1e060cd)

Co-authored-by: Tommaso Bona <piergeolo@gmail.com>
---

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index eae0e0c5e876..ea88a43157bd 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -292,7 +292,7 @@ class AbstractBuilder(object):
                 raise ValueError(member.name, base)
             member.name = member.name[len(base):].lstrip('/')
         log.info("Unpacking files to {}".format(self.build_dir))
-        tf.extractall(self.build_dir, members)
+        tf.extractall(self.build_dir, members, filter='data')
 
     def _build_src(self, config_args=()):
         """Now build openssl"""