8000 [3.9] gh-121285: Remove backtracking when parsing tarfile headers (GH… · python/cpython@b4225ca · GitHub
[go: up one dir, main page]

Skip to content

Commit b4225ca

Browse files
sethmlarsonEclips4gpshead
authored
[3.9] gh-121285: Remove backtracking when parsing tarfile headers (GH-121286) (#123641)
* Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org>
1 parent f7be505 commit b4225ca

File tree

3 files changed

+111
-38
lines changed

3 files changed

+111
-38
lines changed

Lib/tarfile.py

Lines changed: 67 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -840,6 +840,9 @@ def data_filter(member, dest_path):
840840
# Sentinel for replace() defaults, meaning "don't change the attribute"
841841
_KEEP = object()
842842

843+
# Header length is digits followed by a space.
844+
_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ")
845+
843846
class TarInfo(object):
844847
"""Informational class which holds the details about an
845848
archive member given by a tar header block.
@@ -1399,59 +1402,76 @@ def _proc_pax(self, tarfile):
13991402
else:
14001403
pax_headers = tarfile.pax_headers.copy()
14011404

1402-
# Check if the pax header contains a hdrcharset field. This tells us
1403-
# the encoding of the path, linkpath, uname and gname fields. Normally,
1404-
# these fields are UTF-8 encoded but since POSIX.1-2008 tar
1405-
# implementations are allowed to store them as raw binary strings if
1406-
# the translation to UTF-8 fails.
1407-
match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf)
1408-
if match is not None:
1409-
pax_headers["hdrcharset"] = match.group(1).decode("utf-8")
1410-
1411-
# For the time being, we don't care about anything other than "BINARY".
1412-
# The only other value that is currently allowed by the standard is
1413-
# "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
1414-
hdrcharset = pax_headers.get("hdrcharset")
1415-
if hdrcharset == "BINARY":
1416-
encoding = tarfile.encoding
1417-
else:
1418-
encoding = "utf-8"
1419-
14201405
# Parse pax header information. A record looks like that:
14211406
# "%d %s=%s\n" % (length, keyword, value). length is the size
14221407
# of the complete record including the length field itself and
1423-
# the newline. keyword and value are both UTF-8 encoded strings.
1424-
regex = re.compile(br"(\d+) ([^=]+)=")
1408+
# the newline.
14251409
pos = 0
1426-
while True:
1427-
match = regex.match(buf, pos)
1428-
if not match:
1429-
break
1410+
encoding = None
1411+
raw_headers = []
1412+
while len(buf) > pos and buf[pos] != 0x00:
1413+
if not (match := _header_length_prefix_re.match(buf, pos)):
1414+
raise InvalidHeaderError("invalid header")
1415+
try:
1416+
length = int(match.group(1))
1417+
except ValueError:
1418+
raise InvalidHeaderError("invalid header")
1419+
# Headers must be at least 5 bytes, shortest being '5 x=\n'.
1420+
# Value is allowed to be empty.
1421+
if length < 5:
1422+
raise InvalidHeaderError("invalid header")
1423+
if pos + length > len(buf):
1424+
raise InvalidHeaderError("invalid header")
14301425

1431-
length, keyword = match.groups()
1432-
length = int(length)
1433-
if length == 0:
1426+
header_value_end_offset = match.start(1) + length - 1 # Last byte of the header
1427+
keyword_and_value = buf[match.end(1) + 1:header_value_end_offset]
1428+
raw_keyword, equals, raw_value = keyword_and_value.partition(b"=")
1429+
1430+
# Check the framing of the header. The last character must be '\n' (0x0A)
1431+
if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A:
14341432
raise InvalidHeaderError("invalid header")
1435-
value = buf[match.end(2) + 1:match.start(1) + length - 1]
1433+
raw_headers.append((length, raw_keyword, raw_value))
1434+
1435+
# Check if the pax header contains a hdrcharset field. This tells us
1436+
# the encoding of the path, linkpath, uname and gname fields. Normally,
1437+
# these fields are UTF-8 encoded but since POSIX.1-2008 tar
1438+
# implementations are allowed to store them as raw binary strings if
1439+
# the translation to UTF-8 fails. For the time being, we don't care about
1440+
# anything other than "BINARY". The only other value that is currently
1441+
# allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
1442+
# Note that we only follow the initial 'hdrcharset' setting to preserve
1443+
# the initial behavior of the 'tarfile' module.
1444+
if raw_keyword == b"hdrcharset" and encoding is None:
1445+
if raw_value == b"BINARY":
1446+
encoding = tarfile.encoding
1447+
else: # This branch ensures only the first 'hdrcharset' header is used.
1448+
encoding = "utf-8"
1449+
1450+
pos += length
14361451

1452+
# If no explicit hdrcharset is set, we use UTF-8 as a default.
1453+
if encoding is None:
1454+
encoding = "utf-8"
1455+
1456+
# After parsing the raw headers we can decode them to text.
1457+
for length, raw_keyword, raw_value in raw_headers:
14371458
# Normally, we could just use "utf-8" as the encoding and "strict"
14381459
# as the error handler, but we better not take the risk. For
14391460
# example, GNU tar <= 1.23 is known to store filenames it cannot
14401461
# translate to UTF-8 as raw strings (unfortunately without a
14411462
# hdrcharset=BINARY header).
14421463
# We first try the strict standard encoding, and if that fails we
14431464
# fall back on the user's encoding and error handler.
1444-
keyword = self._decode_pax_field(keyword, "utf-8", "utf-8",
1465+
keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8",
14451466
tarfile.errors)
14461467
if keyword in PAX_NAME_FIELDS:
1447-
value = self._decode_pax_field(value, encoding, tarfile.encoding,
1468+
value = self._decode_pax_field(raw_value, encoding, tarfile.encoding,
14481469
tarfile.errors)
14491470
else:
1450-
value = self._decode_pax_field(value, "utf-8", "utf-8",
1471+
value = self._decode_pax_field(raw_value, "utf-8", "utf-8",
14511472
tarfile.errors)
14521473

14531474
pax_headers[keyword] = value
1454-
pos += length
14551475

14561476
# Fetch the next header.
14571477
try:
@@ -1466,7 +1486,7 @@ def _proc_pax(self, tarfile):
14661486

14671487
elif "GNU.sparse.size" in pax_headers:
14681488
# GNU extended sparse format version 0.0.
1469-
self._proc_gnusparse_00(next, pax_headers, buf)
1489+
self._proc_gnusparse_00(next, raw_headers)
14701490

14711491
elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0":
14721492
# GNU extended sparse format version 1.0.
@@ -1488,15 +1508,24 @@ def _proc_pax(self, tarfile):
14881508

14891509
return next
14901510

1491-
def _proc_gnusparse_00(self, next, pax_headers, buf):
1511+
def _proc_gnusparse_00(self, next, raw_headers):
14921512
"""Process a GNU tar extended sparse header, version 0.0.
14931513
"""
14941514
offsets = []
1495-
for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf):
1496-
offsets.append(int(match.group(1)))
14971515
numbytes = []
1498-
for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf):
1499-
numbytes.append(int(match.group(1)))
1516+
for _, keyword, value in raw_headers:
1517+
if keyword == b"GNU.sparse.offset":
1518+
try:
1519+
offsets.append(int(value.decode()))
1520+
except ValueError:
1521+
raise InvalidHeaderError("invalid header")
1522+
1523+
elif keyword == b"GNU.sparse.numbytes":
1524+
try:
1525+
numbytes.append(int(value.decode()))
1526+
except ValueError:
1527+
raise InvalidHeaderError("invalid header")
1528+
15001529
next.sparse = list(zip(offsets, numbytes))
15011530

15021531
def _proc_gnusparse_01(self, next, pax_headers):

Lib/test/test_tarfile.py

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1113,6 +1113,48 @@ def test_pax_number_fields(self):
11131113
finally:
11141114
tar.close()
11151115

1116+
def test_pax_header_bad_formats(self):
1117+
# The fields from the pax header have priority over the
1118+
# TarInfo.
1119+
pax_header_replacements = (
1120+
b" foo=bar\n",
1121+
b"0 \n",
1122+
b"1 \n",
1123+
b"2 \n",
1124+
b"3 =\n",
1125+
b"4 =a\n",
1126+
b"1000000 foo=bar\n",
1127+
b"0 foo=bar\n",
1128+
b"-12 foo=bar\n",
1129+
b"000000000000000000000000036 foo=bar\n",
1130+
)
1131+
pax_headers = {"foo": "bar"}
1132+
1133+
for replacement in pax_header_replacements:
1134+
with self.subTest(header=replacement):
1135+
tar = tarfile.open(tmpname, "w", format=tarfile.PAX_FORMAT,
1136+
encoding="iso8859-1")
1137+
try:
1138+
t = tarfile.TarInfo()
1139+
t.name = "pax" # non-ASCII
1140+
t.uid = 1
1141+
t.pax_headers = pax_headers
1142+
tar.addfile(t)
1143+
finally:
1144+
tar.close()
1145+
1146+
with open(tmpname, "rb") as f:
1147+
data = f.read()
1148+
self.assertIn(b"11 foo=bar\n", data)
1149+
data = data.replace(b"11 foo=bar\n", replacement)
1150+
1151+
with open(tmpname, "wb") as f:
1152+
f.truncate()
1153+
f.write(data)
1154+
1155+
with self.assertRaisesRegex(tarfile.ReadError, r"file could not be opened successfully"):
1156+
tarfile.open(tmpname, encoding="iso8859-1")
1157+
11161158

11171159
class WriteTestBase(TarTest):
11181160
# Put all write tests in here that are supposed to be tested
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and
2+
GNU sparse headers.

0 commit comments

Comments
 (0)
0