python
gh-121285: Remove backtracking when parsing tarfile headers
This removes all instances of backtracking from parsing tarfile headers, specifically hdrcharset, PAX, and GNU sparse headers.
- Issue: gh-121285
@sethmlarson Did you mean to add the "Needs backport to 3.x" labels rather than the "3.x" ones?
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.
Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.
![bedevere-app[bot] avatar](https://avatars.githubusercontent.com/in/388350?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ethanfurman Type hints removed in https://github.com/python/cpython/pull/121286/commits/0b5341b66a8cea891608fc4deab026aaa14a1307. I have made the requested changes; please review again
Thanks for making the requested changes!
@ethanfurman: please review the changes made to this pull request.
@gpshead, should we add new tests?
A regression test would be "nice" but isn't strictly required as this is a CPU DoS prevention. The existing functionality tests continuing to pass is the important part.
If we adapted the proof of concept code or example file from the reporter into a regression test, that is effectively giving away an exploit tool. It is generally considered nicer to wait a while after a release before doing that.
Such tests would be needed for each of the covered tar formats, with the expected result being a tarfile.ReadError within a short amount of time rather than hanging.
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.
Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.
Thanks for making the requested changes!
@ethanfurman, @gpshead: please review the changes made to this pull request.
@gpshead @ethanfurman @serhiy-storchaka This PR is still awaiting a final review, if you have time please take a look :)
Thanks @sethmlarson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13. 🐍🍒⛏🤖
![miss-islington-app[bot] avatar](https://avatars.githubusercontent.com/in/409059?v=4 "Published by a pub.dev verified publisher"){kind=small}
Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 34ddb64d088dd7ccc321f6103d23153256caa5d4 3.11
Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 34ddb64d088dd7ccc321f6103d23153256caa5d4 3.10
Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 34ddb64d088dd7ccc321f6103d23153256caa5d4 3.9
Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 34ddb64d088dd7ccc321f6103d23153256caa5d4 3.8