diff options
| author | Eli Schwartz <eschwartz93@gmail.com> | 2025-10-19 11:47:00 -0400 |
|---|---|---|
| committer | Eli Schwartz <eschwartz93@gmail.com> | 2025-10-30 22:16:05 -0400 |
| commit | 6b4f2c7964115fa5d12f8f2234715a2ee67ea8dd (patch) | |
| tree | b9c1225762aebfdb197b1308959b19e94a8db190 /mesonbuild/msubprojects.py | |
| parent | 08a78f856b38c774aef382ea97e4fc47a9cd9685 (diff) | |
| download | meson-6b4f2c7964115fa5d12f8f2234715a2ee67ea8dd.tar.gz | |
mdist: fix failure to create tar files the user asked to create
Python added a "feature" to assume tarfile extraction is meant solely
for "data", i.e. it ignores many useful features of tar such as
symlinks, ownership, or permission modes that are uncommon on Windows.
Revert this entirely, as Meson is a "fully trusted" application. It can
already execute arbitrary programs, tar files are not vulnerabilities.
In theory "tar" mode exists and is not "data", but we are fully trusted
so why split hairs?
Fixes: https://github.com/mesonbuild/meson/issues/15142
Diffstat (limited to 'mesonbuild/msubprojects.py')
| -rwxr-xr-x | mesonbuild/msubprojects.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/mesonbuild/msubprojects.py b/mesonbuild/msubprojects.py index d4549c054..f4b440563 100755 --- a/mesonbuild/msubprojects.py +++ b/mesonbuild/msubprojects.py @@ -1,7 +1,7 @@ from __future__ import annotations from dataclasses import dataclass, InitVar -import os, subprocess +import sys, os, subprocess import argparse import asyncio import fnmatch @@ -61,6 +61,9 @@ if T.TYPE_CHECKING: ALL_TYPES_STRING = ', '.join(ALL_TYPES) +if sys.version_info >= (3, 14): + tarfile.TarFile.extraction_filter = staticmethod(tarfile.fully_trusted_filter) + def read_archive_files(path: Path, base_path: Path) -> T.Set[Path]: if path.suffix == '.zip': with zipfile.ZipFile(path, 'r') as zip_archive: |