samba.git/python/samba/tests/safe_tarfile.py, branch master Unnamed repository; edit this file 'description' to name the repository. pytest: safe_tarfile: accept NotADirectoryError as bad path rejection 2025-08-26T22:42:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-08-22T03:24:34+00:00 7a5b22e4221ea2a0960a26cf79339168f0899d0c After recent upstream Python fixes for various path escape and symlink CVEs in tarfile, in particular this commit: commit 3612d8f51741b11f36f8fb0494d79086bac9390a Author: Łukasz Langa <lukasz@langa.pl> Date: Tue Jun 3 12:42:11 2025 +0200 gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` (#135037) Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. Signed-off-by: Łukasz Langa <lukasz@langa.pl> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> our ../../ test that looks for a tarfile.OutsideDestinationError now meets a NotADirectoryError in recent Python versions (this from 3.13, Fedora 42): UNEXPECTED(error): samba.tests.safe_tarfile.samba.tests.safe_tarfile.SafeTarFileTestCase.test_dots(none) REASON: Exception: Exception: Traceback (most recent call last): File "/tmp/samba-testbase/b1/samba-o3/bin/python/samba/tests/safe_tarfile.py", line 48, in test_dots self.assertRaises(tarfile.OutsideDestinationError, ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ stf.extractall, ^^^^^^^^^^^^^^^ tarname) ^^^^^^^^ File "/usr/lib64/python3.13/unittest/case.py", line 795, in assertRaises return context.handle('assertRaises', args, kwargs) ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.13/unittest/case.py", line 238, in handle callable_obj(*args, **kwargs) ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.13/tarfile.py", line 2343, in extractall tarinfo, unfiltered = self._get_extract_tarinfo( ~~~~~~~~~~~~~~~~~~~~~~~~~^ member, filter_function, path) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.13/tarfile.py", line 2432, in _get_extract_tarinfo self._handle_fatal_error(e) ~~~~~~~~~~~~~~~~~~~~~~~~^^^ File "/usr/lib64/python3.13/tarfile.py", line 2430, in _get_extract_tarinfo filtered = filter_function(unfiltered, path) File "/usr/lib64/python3.13/tarfile.py", line 842, in tar_filter new_attrs = _get_filtered_attrs(member, dest_path, False) File "/usr/lib64/python3.13/tarfile.py", line 783, in _get_filtered_attrs target_path = os.path.realpath(os.path.join(dest_path, name), strict=os.path.ALLOW_MISSING) File "<frozen posixpath>", line 457, in realpath NotADirectoryError: [Errno 20] Not a directory: '/tmp/samba-testbase/b1/samba-o3/bin/ab/tmp/tmpbn6e69ci/tar.tar' In this commit, we say that a NotADirectoryError is OK. When we started safe_tarfile we were acting in advance of upstream Python, but now they are well ahead of us. If we trust their work in recent versions and accept the error conditions they choose, we can more easily get rid of our safe_tarfile when the time is right. For the moment we still support as far back as Python 3.6 for some old enterprise distros, and it is for those that we continue to maintain safe_tarfile. In versions before 3.11 we will see tarfile.ExtractError, and the test for that is unaffected by this change. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
After recent upstream Python fixes for various path escape and symlink
CVEs in tarfile, in particular this commit:

  commit 3612d8f51741b11f36f8fb0494d79086bac9390a
  Author: Łukasz Langa <lukasz@langa.pl>
  Date:   Tue Jun 3 12:42:11 2025 +0200

  gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` (#135037)

  Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

  Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
  Co-authored-by: Petr Viktorin <encukou@gmail.com>
  Co-authored-by: Seth Michael Larson <seth@python.org>
  Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
  Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

our ../../ test that looks for a tarfile.OutsideDestinationError now
meets a NotADirectoryError in recent Python versions (this from 3.13,
Fedora 42):

UNEXPECTED(error): samba.tests.safe_tarfile.samba.tests.safe_tarfile.SafeTarFileTestCase.test_dots(none)
REASON: Exception: Exception: Traceback (most recent call last):
  File "/tmp/samba-testbase/b1/samba-o3/bin/python/samba/tests/safe_tarfile.py", line 48, in test_dots
    self.assertRaises(tarfile.OutsideDestinationError,
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                      stf.extractall,
                      ^^^^^^^^^^^^^^^
                      tarname)
                      ^^^^^^^^
  File "/usr/lib64/python3.13/unittest/case.py", line 795, in assertRaises
    return context.handle('assertRaises', args, kwargs)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/unittest/case.py", line 238, in handle
    callable_obj(*args, **kwargs)
    ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2343, in extractall
    tarinfo, unfiltered = self._get_extract_tarinfo(
                          ~~~~~~~~~~~~~~~~~~~~~~~~~^
        member, filter_function, path)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2432, in _get_extract_tarinfo
    self._handle_fatal_error(e)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/lib64/python3.13/tarfile.py", line 2430, in _get_extract_tarinfo
    filtered = filter_function(unfiltered, path)
  File "/usr/lib64/python3.13/tarfile.py", line 842, in tar_filter
    new_attrs = _get_filtered_attrs(member, dest_path, False)
  File "/usr/lib64/python3.13/tarfile.py", line 783, in _get_filtered_attrs
    target_path = os.path.realpath(os.path.join(dest_path, name),
                                   strict=os.path.ALLOW_MISSING)
  File "<frozen posixpath>", line 457, in realpath
NotADirectoryError: [Errno 20] Not a directory: '/tmp/samba-testbase/b1/samba-o3/bin/ab/tmp/tmpbn6e69ci/tar.tar'

In this commit, we say that a NotADirectoryError is OK.

When we started safe_tarfile we were acting in advance of upstream
Python, but now they are well ahead of us. If we trust their work in
recent versions and accept the error conditions they choose, we can
more easily get rid of our safe_tarfile when the time is right.

For the moment we still support as far back as Python 3.6 for some old
enterprise distros, and it is for those that we continue to maintain
safe_tarfile. In versions before 3.11 we will see
tarfile.ExtractError, and the test for that is unaffected by this
change.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
python: Remove unused imports 2023-08-30T02:15:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-08-24T23:09:52+00:00 fce882ab67186fddd957404fe62f84d41380895c Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Fix typos 2023-06-25T23:29:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-06-12T22:34:39+00:00 b11ad8b137619a73853f7d6dc5e749305149c677 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Adopt safe_tarfile for extraction_filter raises 2023-06-14T22:57:34+00:00 Andreas Schneider asn@samba.org 2023-06-06T14:06:57+00:00 ebaa00816259cbae5c45ebf0ba5fb260b09e4695 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
CVE-2007-4559 python: ensure sanity in our tarfiles 2022-10-04T03:48:43+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2022-09-23T00:32:25+00:00 37406b9d97f123576c811b9fe22b39b02af62f83 Python's tarfile module is not very careful about paths that step out of the target directory. We can be a bit better at little cost. This was reported in 2007[1], and has recently been publicised [2, for example]. We were informed of this bug in December 2021 by Luis Alberto López Alvar, but decided then that there were no circumstances under which this was a security concern. That is, if you can alter the backup files, you can already do worse things. But there is a case to guard against an administrator being tricked into trying to restore a file that isn't based on a real backup. [1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559 [2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Oct 4 03:48:43 UTC 2022 on sn-devel-184 
Python's tarfile module is not very careful about paths that step out
of the target directory. We can be a bit better at little cost.

This was reported in 2007[1], and has recently been publicised [2, for
example].

We were informed of this bug in December 2021 by Luis Alberto López
Alvar, but decided then that there were no circumstances under which
this was a security concern. That is, if you can alter the backup
files, you can already do worse things. But there is a case to guard
against an administrator being tricked into trying to restore a file
that isn't based on a real backup.

[1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559
[2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct  4 03:48:43 UTC 2022 on sn-devel-184