[3.10] bpo-39039: tarfile raises descriptive exception from zlib.error (GH-27766) (GH-28613)

* during tarfile parsing, a zlib error indicates invalid data * tarfile.open now raises a descriptive exception from the zlib error * this makes it clear to the user that they may be trying to open a corrupted tar file (cherry picked from commit b6fe857250) Co-authored-by: Jack DeVries <58614260+jdevries3133@users.noreply.github.com>
2021-09-29 12:19:37 +02:00 · 2021-09-29 12:19:37 +02:00 · d6b69f21d8
parent 1cb17be3e6
commit d6b69f21d8
3 changed files with 25 additions and 0 deletions
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@ -2349,6 +2349,15 @@ def next(self):
                    raise ReadError(str(e)) from None
            except SubsequentHeaderError as e:
                raise ReadError(str(e)) from None
+            except Exception as e:
+                try:
+                    import zlib
+                    if isinstance(e, zlib.error):
+                        raise ReadError(f'zlib error: {e}') from None
+                    else:
+                        raise e
+                except ImportError:
+                    raise e
            break

        if tarinfo is not None:
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@ -19,6 +19,10 @@
    import gzip
 except ImportError:
    gzip = None
+try:
+    import zlib
+except ImportError:
+    zlib = None
 try:
    import bz2
 except ImportError:
@ -687,6 +691,16 @@ def test_parallel_iteration(self):
                self.assertEqual(m1.offset, m2.offset)
                self.assertEqual(m1.get_info(), m2.get_info())

+    @unittest.skipIf(zlib is None, "requires zlib")
+    def test_zlib_error_does_not_leak(self):
+        # bpo-39039: tarfile.open allowed zlib exceptions to bubble up when
+        # parsing certain types of invalid data
+        with unittest.mock.patch("tarfile.TarInfo.fromtarfile") as mock:
+            mock.side_effect = zlib.error
+            with self.assertRaises(tarfile.ReadError):
+                tarfile.open(self.tarname)
+
+
 class MiscReadTest(MiscReadTestBase, unittest.TestCase):
    test_fail_comp = None

--- a/Misc/NEWS.d/next/Library/2021-08-18-10-36-14.bpo-39039.A63LYh.rst
+++ b/Misc/NEWS.d/next/Library/2021-08-18-10-36-14.bpo-39039.A63LYh.rst
@ -0,0 +1,2 @@
+tarfile.open raises :exc:`~tarfile.ReadError` when a zlib error occurs
+during file extraction.