Merge pull request #2443 from swt2c/safer_tar

Use new tarfile.extractall() filter for safer tarfile extraction
wxWidgets · Aug 4, 2023 · e4fd9a3 · e4fd9a3
2 parents 82b9b5b + e5c92b3
commit e4fd9a3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/build.py b/build.py
@@ -28,6 +28,7 @@
 import datetime
 import shlex
 import textwrap
+import warnings
 
 try:
     import pathlib
@@ -1403,7 +1404,11 @@ def injectClassInfo(className, srcTxt):
         tf_name = glob.glob(tmpdir + '/*.tar*')[0]
         tf_dir = os.path.splitext(os.path.splitext(tf_name)[0])[0]
         with tarfile.open(tf_name) as tf:
-            tf.extractall(tmpdir)
+            try:
+                tf.extractall(tmpdir, filter='data')
+            except TypeError:
+                warnings.warn('Falling back to less safe tarfile.extractall')
+                tf.extractall(tmpdir)
         shutil.move(tf_dir, cfg.SIPINC)
 
 

diff --git a/wx/tools/wxget_docs_demo.py b/wx/tools/wxget_docs_demo.py
@@ -33,6 +33,7 @@
 import subprocess
 import webbrowser
 import tarfile
+import warnings
 if sys.version_info >= (3,):
     from urllib.error import HTTPError
     import urllib.request as urllib2
@@ -84,7 +85,11 @@ def unpack_cached(cached, dest_dir):
     """ Unpack from the cache."""
     print('Unpack', cached, 'to', dest_dir)
     with tarfile.open(cached, "r:*") as tf:
-        tf.extractall(dest_dir)
+        try:
+            tf.extractall(dest_dir, filter='data')
+        except TypeError:
+            warnings.warn('Falling back to less safe tarfile.extractall')
+            tf.extractall(dest_dir)
     dest_dir = os.listdir(dest_dir)[0]
     return dest_dir