Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.13] gh-119588: Implement zipfile.Path.is_symlink (zipp 3.19.0). (GH-119591) #119985

Merged
merged 1 commit into from
Jun 4, 2024
Merged

[3.13] gh-119588: Implement zipfile.Path.is_symlink (zipp 3.19.0). (GH-119591) #119985

merged 1 commit into from
Jun 4, 2024
+32 −12

Conversation

miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Jun 3, 2024
edited by github-actions bot
Loading

(cherry picked from commit 42a34dd)

Co-authored-by: Jason R. Coombs jaraco@jaraco.com

📚 Documentation preview 📚: https://cpython-previews--119985.org.readthedocs.build/

@jaraco @miss-islington
pythongh-119588: Implement zipfile.Path.is_symlink (zipp 3.19.0). (py…
094c41e 
…thonGH-119591)

(cherry picked from commit 42a34dd)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@miss-islington miss-islington requested a review from jaraco as a code owner June 3, 2024 15:13
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2024
Merged
@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2024
Closed
@jaraco
Copy link
Member

jaraco commented Jun 3, 2024
edited
Loading

@Yhg1s Can you confirm you consider this issue to be a (security) bug and thus qualifies for merge here and in 3.12?

The bug/security concern is that if a user were to use zipfile.Path().is_symlink() to screen for symlinks thinking that it was actually checking, and then they were to unzip that file using another tool that honor symlinks, they could inadvertently be creating symlinks where they expected not to create them.

It feels slightly more like a feature than a bug fix to me, and I don't feel strongly about it. I'll follow whatever direction you or a delegate wish to go.

@jaraco jaraco requested a review from Yhg1s June 3, 2024 16:07
@Yhg1s
Copy link
Member

Yhg1s commented Jun 4, 2024

No, I do not believe these are important security fixes, and they're changes in behaviour that could just as easily cause security issues. The ZIP standard is much to fluid, what with all its extensions, that you can't mix and match implementations and expect a sensible result. Verifying contents with zipfile and then unpacking with a different tool altogether does not make sense from a security perspective. I believe we should simply consider this a bugfix with a change in semantics. However, I'm okay with this going into 3.13 at this stage, just not 3.12.

@Yhg1s Yhg1s mentioned this pull request Jun 4, 2024
Closed
@jaraco jaraco merged commit 34a6d89 into python:3.13 Jun 4, 2024
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Yhg1s Yhg1s Yhg1s approved these changes

@jaraco jaraco Awaiting requested review from jaraco jaraco is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miss-islington @jaraco @Yhg1s