Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zipfile.Path regression #123270

Closed
obfusk opened this issue Aug 23, 2024 · 28 comments · Fixed by jaraco/zipp#124
Closed

zipfile.Path regression #123270

obfusk opened this issue Aug 23, 2024 · 28 comments · Fixed by jaraco/zipp#124
Assignees
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@obfusk
Copy link
Contributor

obfusk commented Aug 23, 2024

Bug report

Bug description:

#122906 introduced a regression with directories that look like Windows drive letters (on Linux):

>>> import io, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("d:/foo", "bar")
>>> zf.extractall("a")
>>> open("a/d:/foo").read()
'bar'
>>> p = zipfile.Path(zf)
>>> x = p / "d" / "foo"
>>> y = p / "d:" / "foo"
>>> list(p.iterdir())   # before: [Path(None, 'd:/')]
[Path(None, 'd/')]
>>> p.root.namelist()   # before: ['d:/foo', 'd:/']
['d/foo', 'd/']
>>> x.exists()          # before: False
True
>>> y.exists()          # before: True
False
>>> zf.extractall("b")  # before: worked like above
KeyError: "There is no item named 'd/foo' in the archive"
>>> x.read_text()       # before: FileNotFoundError
KeyError: "There is no item named 'd/foo' in the archive"
>>> y.read_text()       # before: worked
FileNotFoundError: ...

This is the result of _sanitize() unconditionally treating a directory that looks like a drive letter as such and removing the colon, regardless of operating system:

bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)

Whereas _extract_member() uses os.path.splitdrive() (which is a no-op on Linux):

arcname = os.path.splitdrive(arcname)[1]

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs

@obfusk obfusk added the type-bug An unexpected behavior, bug, or error label Aug 23, 2024
@obfusk obfusk changed the title zipfile.Path regression with directories that look like Windows drive letters (on Linux) zipfile.Path regression Aug 23, 2024
@obfusk
Copy link
Contributor Author

obfusk commented Aug 23, 2024

Paths like foo//bar and foo\\bar also cause issues:

>>> import io, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo//bar", "text")
>>> zf.namelist()
['foo//bar']
>>> p = zipfile.Path(zf)
>>> p.root.namelist()   # before: ['foo//bar', 'foo/']
['foo/bar', 'foo/']
>>> x = p / "foo//bar"
>>> y = p / "foo" / "bar"
>>> x.exists()          # before: True
False
>>> y.exists()          # before: False
True
>>> x.read_text()       # before: works, returns 'text'
FileNotFoundError: ...
>>> y.read_text()       # before: FileNotFoundError
KeyError: "There is no item named 'foo/bar' in the archive"
>>> import io, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo\\bar", "text")
>>> zf.namelist()
['foo\\bar']
>>> p = zipfile.Path(zf)
>>> p.root.namelist()   # before: ['foo\\bar']
['foo/bar', 'foo/']
>>> x = p / "foo\\bar"
>>> y = p / "foo" / "bar"
>>> x.exists()          # before: True
False
>>> y.exists()          # before: False
True
>>> x.read_text()       # before: works, returns 'text'
FileNotFoundError: ...
>>> y.read_text()       # before: FileNotFoundError
KeyError: "There is no item named 'foo/bar' in the archive"

@ZeroIntensity
Copy link
Member

cc @jaraco

@obfusk
Copy link
Contributor Author

obfusk commented Aug 23, 2024

Sanitising is good. But e.g. .open() will not work if it can't map back to the original path to pass that to ZipFile.open(). Though .joinpath() will of course never use // or \\, so opening these files already required constructing the path without using that. Not sure what's best here if opening files with paths affected by sanitising is meant to be supported.

@picnixz picnixz added the stdlib Python modules in the Lib dir label Aug 23, 2024
@obfusk
Copy link
Contributor Author

obfusk commented Aug 23, 2024

# before
>>> import io, os, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo/bar", "one")
>>> zf.writestr("foo\\bar", "two")
>>> zf.namelist()
['foo/bar', 'foo\\bar']
>>> zf.extractall("a")
>>> os.system("tree a")
a
├── foo
│   └── bar
└── foo\bar
>>> p = zipfile.Path(zf)
>>> p.root.namelist()
['foo/bar', 'foo\\bar', 'foo/']
>>> (p / "foo" / "bar").read_text()
'one'
>>> (p / "foo\\bar").read_text()
'two'

# after
>>> import io, os, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo/bar", "one")
>>> zf.writestr("foo\\bar", "two")
>>> p = zipfile.Path(zf)
>>> zf.namelist()
['foo/bar', 'foo/bar', 'foo/']
>>> zf.extractall("a")
>>> os.system("tree a")
a
└── foo
    └── bar
>>> (p / "foo" / "bar").read_text()
'one'
>>> (p / "foo\\bar").read_text()
FileNotFoundError: ...

@obfusk
Copy link
Contributor Author

obfusk commented Aug 23, 2024

Sanitising is good. But e.g. .open() will not work if it can't map back to the original path to pass that to ZipFile.open(). Though .joinpath() will of course never use // or \\, so opening these files already required constructing the path without using that. Not sure what's best here if opening files with paths affected by sanitising is meant to be supported.

Keeping a dict mapping sanitised paths back to the originals might be a good choice. Though .namelist() will still be "wrong" for the ZipFile (e.g. when calling .extractall()). And it doesn't handle "duplicates" (see above).

@jaraco
Copy link
Member

jaraco commented Aug 24, 2024

Not sure what's best here if opening files with paths affected by sanitising is meant to be supported.

My expectation was that paths affected by sanitizing would not be supported.

regression with directories that look like Windows drive letters (on Linux)

My goal is to provide a (perhaps constrained) interface that's portable and provides consistent behavior independent of platform.

I'll have to think about this some more

Paths like foo//bar and foo\\bar also cause issues:

I was not expecting that foo\bar or d:/foo were in use in zip files.

Can you say more about the use-cases that are affected by these paths? What causes these zip files to exist? What does the author of such a zip file expect to happen when consumed by a zipfile client?

@obfusk
Copy link
Contributor Author

obfusk commented Aug 24, 2024

I was not expecting that foo\bar or d:/foo were in use in zip files.

Are these file names common? Maybe not. But on Linux these are perfectly acceptable file names. And whilst they may indeed cause portability issues for Windows users and I would thus avoid them when creating ZIP files for use on Windows, the ZIP format also considers them perfectly acceptable.

I myself have quite a few music files with odd file names; song titles can be quite varied. And whilst I've sometimes run into problems extracting those files on other operating systems I have never had issues creating or listing ZIP files.

File names like foo/..//./bar can be considered malformed and would not be generated by simply creating a ZIP file from an existing directory tree. But d:/foo\\bar is not malformed, just unusual (and perhaps not portable).

$ mkdir d:
$ echo "Hi!" >> d:/foo\\bar
$ zip -r foo.zip d:
  adding: d:/ (stored 0%)
  adding: d:/foo\bar (stored 0%)
$ unzip -l foo.zip
Archive:  foo.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2024-08-24 04:04   d:/
        4  2024-08-24 04:04   d:/foo\bar
---------                     -------
        4                     2 files
$ python3 -mzipfile -l foo.zip
File Name                                             Modified             Size
d:/                                            2024-08-24 04:04:20            0
d:/foo\bar                                     2024-08-24 04:04:20            4
$ zipinfo.py -e foo.zip
Archive:  foo.zip
Zip file size: 308 bytes, number of entries: 2
drwx------  3.0 unx        0 bx        0 stor 2024-08-24 04:04:20 00000000 d:/
-rw-------  3.0 unx        4 tx        4 stor 2024-08-24 04:04:20 54a8a39c d:/foo\bar
2 files, 4 bytes uncompressed, 4 bytes compressed:  0.0%

Tools like zip and unzip and my own zipinfo.py handle them just fine. So I would expect the same from Python. And indeed zipfile.ZipFile handles them just fine. But zipfile.Path now rejects them.

I generally expect to be able to take any directory tree and turn it into a ZIP file without having to worry about file names containing colons or backslashes. Or at the most that I might need to be careful when extracting them on Windows. I would not expect to have problems merely listing the contents, especially when not even using Windows.

So it is very surprising when zipfile.Path effectively rejects perfectly valid ZIP files just because they have "unsupported" file names, especially since it didn't do so before. I would perhaps expect this kind of backwards-incompatible change to happen in a major version, given a good reason, but not in a security patch. And for it to be clearly documented if the interface is constrained like this. It also fails in unexpected ways, instead of providing a clear error message that makes it clear the problem is an unsupported file name.

@obfusk
Copy link
Contributor Author

obfusk commented Aug 24, 2024

My expectation was that paths affected by sanitizing would not be supported.

And my expectation would be that such paths would be either explicitly rejected as malformed if they cannot reasonably be supported. Or when they can be, handled gracefully with a portable interface that maps sanitised names providing a consistent interface that can reasonably be supported onto the underlying file names instead of simply causing attempts to read files to fail because the underlying file name does not match the sanitised one. And before this change, d:/foo\\bar worked just fine.

@obfusk
Copy link
Contributor Author

obfusk commented Aug 24, 2024

This worked perfectly fine before. Now it raises FileNotFoundError.

>>> zf = zipfile.ZipFile("foo.zip", "r")
>>> zf.namelist()
['d:/', 'd:/foo\\bar']
>>> p = zipfile.Path(zf)
>>> (p / "d:").is_dir()
True
>>> (p / "d:" / "foo\\bar").read_text()
'Hi!\n'

And if d:/foo\\bar is not considered a valid path by zipfile.Path, I'd expect an error. Instead it happily tells me there is a file named d/foo/bar. Except when I try reading I get an error that says there is no such file:

>>> (p / "d" / "foo" / "bar").is_file()
True
>>> (p / "d" / "foo" / "bar").read_text()
KeyError: "There is no item named 'd/foo/bar' in the archive"

@obfusk
Copy link
Contributor Author

obfusk commented Aug 24, 2024

Note that it's not just d:/foo that's no longer allowed, e.g. V: The New Mythology Suite.flac is now also a forbidden file name (though extractall() would remove the "V: " -- but only on Windows, and only when extracting, not listing files).

Meanwhile, this seems incorrect:

>>> zipfile._path.SanitizedNames._sanitize("d:/foo")
'd/foo'
>>> zipfile._path.SanitizedNames._sanitize("/d:/foo")
'd:/foo'

@obfusk
Copy link
Contributor Author

obfusk commented Aug 24, 2024

Meanwhile, as I posted here, the only fix needed for the infinite loop would be the loop condition here:

while path and path != posixpath.sep:
yield path
path, tail = posixpath.split(path)

This should work:

    while path and path != posixpath.sep * len(path):
        yield path
        path, tail = posixpath.split(path)

Or this:

    while path:
        yield path
        head, tail = posixpath.split(path)
        if head == path:
            break
        path = head

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

It seems I've stumbled into a hornets nest. When I received the report about the infinite loops, my objective was to try to understand the broader problem and not simply address an issue with the infinite loops. I sought to figure out why zipfile.extractall was not affected by the same issue, which led me to the sanitizing behavior that it applies. I drew inspiration from that in an attempt to generalize the kinds of unsupported, malformed paths. At the same time, I took the opportunity to be more constraining in order to provide a uniform experience on any platform. As originally designed, zipfile.Path aims to support basic, commonly constructed zip files.

Note that it's not just d:/foo that's no longer allowed, e.g. V: The New Mythology Suite.flac is now also a forbidden file name (though extractall() would remove the "V: " -- but only on Windows, and only when extracting, not listing files).

Yeah, that's unfortunate, but I think zipfile.Path does not wish to support this name because it isn't valid on commonly-found operating systems... or to support the name, but in a uniform way. In my opinion, it's more desirable to have a consistent behavior than to have varying behavior depending on platform.

On the other hand, supporting this name for traversal on any operating system should be fine, right up until the point that these files are manifest on the file system, such as importlib.resources.as_file does here.

zipfile.Path aims to represent the zipfile in a way that's safe to "extract all contents" on any platform, which means it can't expose V: The New Mythology... as any component of the path.

Meanwhile, this seems incorrect:

>>> zipfile._path.SanitizedNames._sanitize("d:/foo")
'd/foo'
>>> zipfile._path.SanitizedNames._sanitize("/d:/foo")
'd:/foo'

Yes, I agree. Probably all colons should be disallowed.

.open() will not work if it can't map back to the original path to pass that to ZipFile.open()

That's a good point, and not something I considered when sanitizing, and really suggests that sanitizing early is much more complicated than it sounds.

Meanwhile, as I posted here, the only fix needed for the infinite loop would be the loop condition here:

The more I think about it, the more I'm liking this approach. Leave the path segments unaffected and let them fail if the user uses a name that's not valid on a platform. In that way, the path V: The New Mythology would be valid on any platform and would fail with the appropriate error if the user tried to "open" that name on a Windows OS (same for d:/ or /d:/).

The real problem, I think, is that we also want to protect against other separators, like \ or special names like ...

Should zipfile.Path consider \ as a path separator? Looking at the spec:

4.4.17.1 The name of the file, with optional relative path. The path stored MUST NOT contain a drive or device letter, or a leading slash. All slashes MUST be forward slashes '/' as opposed to backwards slashes '' for compatibility with Amiga and UNIX file systems etc.

So it seems reasonable to just treat backslashes and dots and everything else as part of the path segment and not a path separator, and let the OS fail if anything attempts to create those as files or directories in the system (e.g. mkdir('\\') or open('..', 'w')).


I'm now convinced, SanitizedNames should be scrapped and replaced by a surgical fix for the infinite loop in the traversal.

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

In jaraco/zipp#124, I've started work on the issue.

@jaraco jaraco self-assigned this Aug 26, 2024
jaraco added a commit to jaraco/zipp that referenced this issue Aug 26, 2024
jaraco added a commit to jaraco/zipp that referenced this issue Aug 26, 2024
jaraco added a commit to jaraco/zipp that referenced this issue Aug 26, 2024
@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

This should work:

    while path and path != posixpath.sep * len(path):
        yield path
        path, tail = posixpath.split(path)

I tried applying this, and it does address the infinite loop. I ended up using not path.endswith(posixpath.sep)

In jaraco/zipp@0a3a7b4, I had to adjust the expectation for .iterdir() - it no longer emits any elements that begin with forward slashes. I think that's fine. Silently ignoring malformed paths is better than presenting them under another name and then not being able to open them.

@obfusk
Copy link
Contributor Author

obfusk commented Aug 26, 2024

So it seems reasonable to just treat backslashes and dots and everything else as part of the path segment and not a path separator, and let the OS fail if anything attempts to create those as files or directories in the system (e.g. mkdir('\\') or open('..', 'w')).

Using ZipFile.extractall() is safe because it sanitises the paths when extracting. AFAIK zipfile.Path does not provide its own interface to extract files, but any code that traverses the Path and replicates it to disk (like the importlib code you linked) would need to be careful to not be vulnerable to path traversal and perhaps try to gracefully handle filenames not supported by the operating system (and that would apply to any Path, not just ZIP files).

I tried applying this, and it does address the infinite loop. I ended up using not path.endswith(posixpath.sep)

One of several essentially equivalent fixes (assuming no change in behaviour of posixpath.split()). Maybe even the cleanest (I hadn't really decided which I preferred yet) :)

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

One of several essentially equivalent fixes (assuming no change in behaviour of posixpath.split()). Maybe even the cleanest (I hadn't really decided which I preferred yet) :)

I found something I think I like even better:

diff --git a/zipp/__init__.py b/zipp/__init__.py
index 0b7b44325fe..a3f0b1b481f 100644
--- a/zipp/__init__.py
+++ b/zipp/__init__.py
@@ -65,7 +65,7 @@ def _ancestry(path):
     ['//b//d///f', '//b//d', '//b']
     """
     path = path.rstrip(posixpath.sep)
-    while path and not path.endswith(posixpath.sep):
+    while path.rstrip(posixpath.sep):
         yield path
         path, tail = posixpath.split(path)
 

Because it combines the check for "empty" and "is only slashes" into one check.

@ZeroIntensity
Copy link
Member

Is the plan to revert #122906 from all the security branches, and just put the fix for this on >3.11? Or is this going to be backported into all the security-only versions as well?

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

My plan is to apply the change to security-only versions. Reverting the change would revive the vulnerability.

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

AFAIK zipfile.Path does not provide its own interface to extract files, but any code that traverses the Path and replicates it to disk (like the importlib code you linked) would need to be careful to not be vulnerable to path traversal and perhaps try to gracefully handle filenames not supported by the operating system (and that would apply to any Path, not just ZIP files).

Thanks for raising this concern. I was thinking about it too, and here's my thinking:

Because of the way that zipfile.Path represents a tree and not a list of paths, it doesn't require sanitization. Thinking about the importlib code, it will start at the root (or some subpath of the zipfile), and name by name construct the dirs and files, so it will invoke mkdir("d:") or open(r"Back\Path", "w") or open(r"..", "w"). Those operations will succeed on platforms where that's allowed and fail where not allowed, but it never (?) has the unintended consequence of causing a user to unexpectedly traverse to a parent directory or a root folder, because each path element is encountered in order and must succeed on mkdir or write_bytes before traversing further. I'm confident but not certain that covers all of the bases.

@obfusk
Copy link
Contributor Author

obfusk commented Aug 26, 2024

I agree that the specific code from importlib is likely to be fine -- assuming mkdir() fails for .. etc. on all platforms and we didn't overlook anything else. But slightly different code -- e.g. code that traverses multiple trees that may overlap and thus uses child.mkdir(exist_ok=True) -- can easily become vulnerable to path traversal.

@jaraco
Copy link
Member

jaraco commented Aug 26, 2024

child.mkdir(exist_ok=True)

Yeah, that does appear potentially problemmatic. I see a few possible options:

  • Revive something like SanitizedNames and have the zipfile.Path object only expose sanitized names (even for .open and .read* operations). Possibly make the sanitization platform-sensitive (yuck).
  • Advertise that zipfile.Path does not do any name sanitization and it's the responsibility of the caller to check the inputs, etc.
  • Emit a warning when encountering potentially unsafe paths. Maybe configure the warning be an error by default but allow it to be tuned down to emit an error message or be silenced.
  • zipfile.Path could provide its own traversal that could offer some safety checks.

To be sure, the draft as proposed does still address the originally-reported vulnerability, so it's not a regression in security from that perspective, but still it would be nice not to open up prospects for other vulnerabilities.

github-actions bot pushed a commit to aio-libs/aiohttp that referenced this issue Aug 28, 2024
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's
changelog</a>.</em></p>
<blockquote>
<h1>v3.20.1</h1>
<h2>Bugfixes</h2>
<ul>
<li><code>python/cpython#123270</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jaraco/zipp/commit/c23e5498d156fabfadcb26453dc363ef7d26e51a"><code>c23e549</code></a>
Finalize</li>
<li><a
href="https://github.com/jaraco/zipp/commit/c2b9015366cf3f3b67a4e88c75833b9e3f498826"><code>c2b9015</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/124">#124</a> from
jaraco/bugfix/gh-123270-supported-names</li>
<li><a
href="https://github.com/jaraco/zipp/commit/774a3ac67f5b827684e8c3b2e03c5f8bbb440593"><code>774a3ac</code></a>
Add TODO to consolidate this behavior in CPython.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09"><code>cc61e61</code></a>
Prefer simpler path.rstrip to consolidate checks for empty or only
paths.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/bec712f098666b1767502d793d36b51afd0d7e94"><code>bec712f</code></a>
Mark unused code as uncovered.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/fde82dcfdea5722c5126e83921773c629a8ba400"><code>fde82dc</code></a>
Add news fragment.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/a421f7e38d88ca9b6b58c89c6b3f141c07fdc588"><code>a421f7e</code></a>
Invent DirtyZipInfo to create an unsanitized zipfile with
backslashes.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0a3a7b4652e417f61de2458506d05570e22df018"><code>0a3a7b4</code></a>
Refine expectation that paths with leading slashes are simply not
visible.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48"><code>f89b93f</code></a>
Address infinite loop when zipfile begins with more than one leading
slash.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876"><code>3cb5609</code></a>
Removed SanitizedNames.</li>
<li>Additional commits viewable in <a
href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
jaraco added a commit to jaraco/cpython that referenced this issue Aug 28, 2024
…fix. (pythonGH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)

Co-authored-by: Jason R. Coombs <[email protected]>
jaraco added a commit to jaraco/cpython that referenced this issue Aug 28, 2024
…rgical fix. (pythonGH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)

Co-authored-by: Jason R. Coombs <[email protected]>
jaraco added a commit to jaraco/cpython that referenced this issue Aug 28, 2024
…gical fix. (pythonGH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)

Co-authored-by: Jason R. Coombs <[email protected]>
jaraco added a commit to jaraco/cpython that referenced this issue Aug 28, 2024
…re surgical fix. (pythonGH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)
(cherry picked from commit 66d3383)

Co-authored-by: Jason R. Coombs <[email protected]>
Yhg1s pushed a commit that referenced this issue Sep 2, 2024
…H-123354) (#123410)

gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)

Co-authored-by: Jason R. Coombs <[email protected]>
jaraco added a commit that referenced this issue Sep 2, 2024
…H-123354) (#123411)

gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)

Co-authored-by: Jason R. Coombs <[email protected]>
benhammondmusic added a commit to SatcherInstitute/health-equity-tracker that referenced this issue Sep 3, 2024
…3612)

Bumps the minor-python group in /shared_requirements with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [certifi](https://github.com/certifi/python-certifi) | `2024.7.4` |
`2024.8.30` |
|
[googleapis-common-protos[grpc]](https://github.com/googleapis/python-api-common-protos)
| `1.63.2` | `1.65.0` |
| [grpcio-status](https://grpc.io) | `1.66.0` | `1.66.1` |
| [grpcio](https://github.com/grpc/grpc) | `1.66.0` | `1.66.1` |
| [numpy](https://github.com/numpy/numpy) | `2.0.1` | `2.1.0` |
| [pylint](https://github.com/pylint-dev/pylint) | `3.2.6` | `3.2.7` |
| [zipp](https://github.com/jaraco/zipp) | `3.20.0` | `3.20.1` |

Updates `certifi` from 2024.7.4 to 2024.8.30
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/certifi/python-certifi/commit/325c2fde4f8eec10d682b09f3b0414dc05e69a81"><code>325c2fd</code></a>
2024.08.30 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/304">#304</a>)</li>
<li><a
href="https://github.com/certifi/python-certifi/commit/d66bf5fccbb2b13b033841ef86ad261ab9915833"><code>d66bf5f</code></a>
Bump actions/upload-artifact from 4.3.5 to 4.3.6 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/302">#302</a>)</li>
<li><a
href="https://github.com/certifi/python-certifi/commit/2150f23ee178c923fb05913e516d168dd841f9e3"><code>2150f23</code></a>
Bump actions/upload-artifact from 4.3.4 to 4.3.5 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/301">#301</a>)</li>
<li><a
href="https://github.com/certifi/python-certifi/commit/fc9b771c1e5bd5f0f97534464c16a6ab785d5592"><code>fc9b771</code></a>
Bump actions/setup-python from 5.1.0 to 5.1.1 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/300">#300</a>)</li>
<li><a
href="https://github.com/certifi/python-certifi/commit/965b2391df4bdce03fb07bf8cc19003585b43599"><code>965b239</code></a>
Bump actions/download-artifact from 4.1.7 to 4.1.8 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/297">#297</a>)</li>
<li><a
href="https://github.com/certifi/python-certifi/commit/c1f50ccd010b428caeb105255638e67be7c64f5c"><code>c1f50cc</code></a>
Bump actions/upload-artifact from 4.3.3 to 4.3.4 (<a
href="https://redirect.github.com/certifi/python-certifi/issues/296">#296</a>)</li>
<li>See full diff in <a
href="https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30">compare
view</a></li>
</ul>
</details>
<br />

Updates `googleapis-common-protos[grpc]` from 1.63.2 to 1.65.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/python-api-common-protos/releases">googleapis-common-protos[grpc]'s
releases</a>.</em></p>
<blockquote>
<h2>v1.65.0</h2>
<h2><a
href="https://github.com/googleapis/python-api-common-protos/compare/v1.64.0...v1.65.0">1.65.0</a>
(2024-08-27)</h2>
<h3>Features</h3>
<ul>
<li>Add field <code>experimental_features</code> to message
<code>PythonSettings</code> (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>)
(<a
href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619">139490f</a>)</li>
</ul>
<h2>v1.64.0</h2>
<h2><a
href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.64.0">1.64.0</a>
(2024-08-26)</h2>
<h3>Features</h3>
<ul>
<li>Add FieldInfo.referenced_types for generics (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>Un-deprecate Endpoint.aliases field (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li>Fix formatting in http.proto comments (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Improve MethodSettings selector examples (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Reformat comments in context proto (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Update ResourceDescriptor.plural docs with AIP-122 nested
collections guidance (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/python-api-common-protos/blob/main/CHANGELOG.md">googleapis-common-protos[grpc]'s
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/python-api-common-protos/compare/v1.64.0...v1.65.0">1.65.0</a>
(2024-08-27)</h2>
<h3>Features</h3>
<ul>
<li>Add field <code>experimental_features</code> to message
<code>PythonSettings</code> (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>)
(<a
href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619">139490f</a>)</li>
</ul>
<h2><a
href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.64.0">1.64.0</a>
(2024-08-26)</h2>
<h3>Features</h3>
<ul>
<li>Add FieldInfo.referenced_types for generics (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>Un-deprecate Endpoint.aliases field (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li>Fix formatting in http.proto comments (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Improve MethodSettings selector examples (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Reformat comments in context proto (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
<li>Update ResourceDescriptor.plural docs with AIP-122 nested
collections guidance (<a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/f30115b7302afc91bf06f210a270a6530b7fafdf"><code>f30115b</code></a>
chore(main): release 1.65.0 (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/250">#250</a>)</li>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619"><code>139490f</code></a>
feat: Add field <code>experimental_features</code> to message
<code>PythonSettings</code> (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>)</li>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/9099f715cd7fa6b5d796c8ceddcb852e367b2bc2"><code>9099f71</code></a>
chore(main): release 1.64.0 (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/248">#248</a>)</li>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be"><code>2ba3577</code></a>
feat: add FieldInfo.referenced_types for generics (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/247">#247</a>)</li>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/f949829be77f2d4e3fde59ddc4e15cbfc60639c8"><code>f949829</code></a>
chore(python): use python 3.10 for docs build (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/243">#243</a>)</li>
<li><a
href="https://github.com/googleapis/python-api-common-protos/commit/996bf2bffa13ed2ffb6dd0321c84a0c132802eb7"><code>996bf2b</code></a>
chore: update templated files (<a
href="https://redirect.github.com/googleapis/python-api-common-protos/issues/239">#239</a>)</li>
<li>See full diff in <a
href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.65.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `grpcio-status` from 1.66.0 to 1.66.1

Updates `grpcio` from 1.66.0 to 1.66.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc/releases">grpcio's
releases</a>.</em></p>
<blockquote>
<h2>Release v1.66.1</h2>
<p>This is release gRPC Core 1.66.1 (gladiator).</p>
<p>For gRPC documentation, see <a href="https://grpc.io/">grpc.io</a>.
For previous releases, see <a
href="https://github.com/grpc/grpc/releases">Releases</a>.</p>
<p>This release contains refinements, improvements, and bug fixes.</p>
<h1>Core</h1>
<ul>
<li>Enable EDS dualstack support by default (<a
href="https://redirect.github.com/grpc/grpc/pull/37545">grpc/grpc#37545</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc/commit/e821cdc231bda9ee93139a6daab6311dd8953832"><code>e821cdc</code></a>
[Release] Bump version to 1.66.1 (on v1.66.x branch) (<a
href="https://redirect.github.com/grpc/grpc/issues/37570">#37570</a>)</li>
<li><a
href="https://github.com/grpc/grpc/commit/c8ada9c7ee26074392f7cacefda01d1016d9f9d7"><code>c8ada9c</code></a>
[dualstack] enable EDS dualstack support by default (backport to 1.66.x)
(<a
href="https://redirect.github.com/grpc/grpc/issues/37">#37</a>...</li>
<li>See full diff in <a
href="https://github.com/grpc/grpc/compare/v1.66.0...v1.66.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `numpy` from 2.0.1 to 2.1.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/numpy/numpy/releases">numpy's
releases</a>.</em></p>
<blockquote>
<h2>2.1.0 (Aug 18, 2024)</h2>
<h1>NumPy 2.1.0 Release Notes</h1>
<p>NumPy 2.1.0 provides support for the upcoming Python 3.13 release and
drops support for Python 3.9. In addition to the usual bug fixes and
updated Python support, it helps get us back into our usual release
cycle after the extended development of 2.0. The highlights for this
release are:</p>
<ul>
<li>Support for the array-api 2023.12 standard.</li>
<li>Support for Python 3.13.</li>
<li>Preliminary support for free threaded Python 3.13.</li>
</ul>
<p>Python versions 3.10-3.13 are supported in this release.</p>
<h2>New functions</h2>
<h3>New function <code>numpy.unstack</code></h3>
<p>A new function <code>np.unstack(array, axis=...)</code> was added,
which splits an
array into a tuple of arrays along an axis. It serves as the inverse of
[numpy.stack]{.title-ref}.</p>
<p>(<a
href="https://redirect.github.com/numpy/numpy/pull/26579">gh-26579</a>)</p>
<h2>Deprecations</h2>
<ul>
<li>
<p>The <code>fix_imports</code> keyword argument in
<code>numpy.save</code> is deprecated.
Since NumPy 1.17, <code>numpy.save</code> uses a pickle protocol that no
longer
supports Python 2, and ignored <code>fix_imports</code> keyword. This
keyword
is kept only for backward compatibility. It is now deprecated.</p>
<p>(<a
href="https://redirect.github.com/numpy/numpy/pull/26452">gh-26452</a>)</p>
</li>
<li>
<p>Passing non-integer inputs as the first argument of
[bincount]{.title-ref} is now deprecated, because such inputs are
silently cast to integers with no warning about loss of precision.</p>
<p>(<a
href="https://redirect.github.com/numpy/numpy/pull/27076">gh-27076</a>)</p>
</li>
</ul>
<h2>Expired deprecations</h2>
<ul>
<li>
<p>Scalars and 0D arrays are disallowed for <code>numpy.nonzero</code>
and
<code>numpy.ndarray.nonzero</code>.</p>
<p>(<a
href="https://redirect.github.com/numpy/numpy/pull/26268">gh-26268</a>)</p>
</li>
<li>
<p><code>set_string_function</code> internal function was removed and
<code>PyArray_SetStringFunction</code> was stubbed out.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/numpy/numpy/commit/2f7fe64b8b6d7591dd208942f1cc74473d5db4cb"><code>2f7fe64</code></a>
Merge pull request <a
href="https://redirect.github.com/numpy/numpy/issues/27236">#27236</a>
from charris/prepare-2.1.0</li>
<li><a
href="https://github.com/numpy/numpy/commit/b6f434f852e9d1ed4f7de9a3a465b38171d54a61"><code>b6f434f</code></a>
REL: Prepare for the NumPy 2.1.0 release [wheel build]</li>
<li><a
href="https://github.com/numpy/numpy/commit/3cf93948797fb81fc251c26cb90d6c44f8374c54"><code>3cf9394</code></a>
Merge pull request <a
href="https://redirect.github.com/numpy/numpy/issues/27234">#27234</a>
from charris/backport-25984</li>
<li><a
href="https://github.com/numpy/numpy/commit/7443dcc915fea1e905f354da511e9e60da82e19c"><code>7443dcc</code></a>
Merge pull request <a
href="https://redirect.github.com/numpy/numpy/issues/27233">#27233</a>
from charris/backport-27223</li>
<li><a
href="https://github.com/numpy/numpy/commit/85b1cab2ad5f418cca485042478622ce13a497a7"><code>85b1cab</code></a>
BUG: Allow fitting of degree zero polynomials with Polynomial.fit</li>
<li><a
href="https://github.com/numpy/numpy/commit/395a81dee5be52b2acff817e6f16652d23181fc3"><code>395a81d</code></a>
DOC: reword discussion about shared arrays to hopefully be clearer</li>
<li><a
href="https://github.com/numpy/numpy/commit/5af2e965a02137cd05706d8d395d8263f395f7c7"><code>5af2e96</code></a>
Move NUMUSERTYPES thread safety discussion to legacy DType API docs</li>
<li><a
href="https://github.com/numpy/numpy/commit/d902c24b684e8ba5370a160a375beaa77bae5032"><code>d902c24</code></a>
DOC: add docs on thread safety in NumPy</li>
<li><a
href="https://github.com/numpy/numpy/commit/c080180fabc1f8fcde14c27e3df2de8fcbe7cf03"><code>c080180</code></a>
Merge pull request <a
href="https://redirect.github.com/numpy/numpy/issues/27229">#27229</a>
from charris/backport-27226</li>
<li><a
href="https://github.com/numpy/numpy/commit/44ce7e8f7b43c1045ad78eecaac0435fff491fae"><code>44ce7e8</code></a>
BUG: Fix <code>PyArray_ZeroContiguousBuffer</code> (resize) with struct
dtypes</li>
<li>Additional commits viewable in <a
href="https://github.com/numpy/numpy/compare/v2.0.1...v2.1.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `pylint` from 3.2.6 to 3.2.7
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pylint-dev/pylint/commit/a98215b8c6a6203dd56366bcfe1cd946fb41282a"><code>a98215b</code></a>
Bump pylint to 3.2.7, update changelog</li>
<li><a
href="https://github.com/pylint-dev/pylint/commit/1deaffababe77e8a025e3b2e5d564d4feb8d987f"><code>1deaffa</code></a>
Fix to maintain order of package paths (<a
href="https://redirect.github.com/pylint-dev/pylint/issues/9887">#9887</a>)
(<a
href="https://redirect.github.com/pylint-dev/pylint/issues/9897">#9897</a>)</li>
<li><a
href="https://github.com/pylint-dev/pylint/commit/b4c2951e62c6ba8e061d4c001192efdedcb6f498"><code>b4c2951</code></a>
[Backport maintenance/3.2.x] Fix a crash in
<code>undefined-loop-variable</code> with `e...</li>
<li><a
href="https://github.com/pylint-dev/pylint/commit/f1925f46ff4c93e7d191d24746b601cfeb0b4e3c"><code>f1925f4</code></a>
Fix crash in refactoring checker when calling bound lambda (<a
href="https://redirect.github.com/pylint-dev/pylint/issues/9867">#9867</a>)</li>
<li><a
href="https://github.com/pylint-dev/pylint/commit/7d1626cf869dab1365150265bad45da7e4221bc1"><code>7d1626c</code></a>
Fix a false positive <code>unreachable</code> for <code>NoReturn</code>
coroutine functions (<a
href="https://redirect.github.com/pylint-dev/pylint/issues/9844">#9844</a>)...</li>
<li>See full diff in <a
href="https://github.com/pylint-dev/pylint/compare/v3.2.6...v3.2.7">compare
view</a></li>
</ul>
</details>
<br />

Updates `zipp` from 3.20.0 to 3.20.1
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's
changelog</a>.</em></p>
<blockquote>
<h1>v3.20.1</h1>
<h2>Bugfixes</h2>
<ul>
<li><code>python/cpython#123270</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jaraco/zipp/commit/c23e5498d156fabfadcb26453dc363ef7d26e51a"><code>c23e549</code></a>
Finalize</li>
<li><a
href="https://github.com/jaraco/zipp/commit/c2b9015366cf3f3b67a4e88c75833b9e3f498826"><code>c2b9015</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/124">#124</a> from
jaraco/bugfix/gh-123270-supported-names</li>
<li><a
href="https://github.com/jaraco/zipp/commit/774a3ac67f5b827684e8c3b2e03c5f8bbb440593"><code>774a3ac</code></a>
Add TODO to consolidate this behavior in CPython.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09"><code>cc61e61</code></a>
Prefer simpler path.rstrip to consolidate checks for empty or only
paths.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/bec712f098666b1767502d793d36b51afd0d7e94"><code>bec712f</code></a>
Mark unused code as uncovered.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/fde82dcfdea5722c5126e83921773c629a8ba400"><code>fde82dc</code></a>
Add news fragment.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/a421f7e38d88ca9b6b58c89c6b3f141c07fdc588"><code>a421f7e</code></a>
Invent DirtyZipInfo to create an unsanitized zipfile with
backslashes.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0a3a7b4652e417f61de2458506d05570e22df018"><code>0a3a7b4</code></a>
Refine expectation that paths with leading slashes are simply not
visible.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48"><code>f89b93f</code></a>
Address infinite loop when zipfile begins with more than one leading
slash.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876"><code>3cb5609</code></a>
Removed SanitizedNames.</li>
<li>Additional commits viewable in <a
href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.1">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Hammond <[email protected]>
ambv pushed a commit that referenced this issue Sep 4, 2024
…H-123354) (#123433)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)
(cherry picked from commit 66d3383)

Co-authored-by: Jason R. Coombs <[email protected]>
ambv pushed a commit that referenced this issue Sep 4, 2024
…H-123354) (#123432)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)

Co-authored-by: Jason R. Coombs <[email protected]>
ambv pushed a commit that referenced this issue Sep 4, 2024
…H-123354) (#123425)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)

Co-authored-by: Jason R. Coombs <[email protected]>

* Restore the slash-prefixed paths in the malformed_paths test.
ambv pushed a commit that referenced this issue Sep 4, 2024
…H-123354) (#123426)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286)
(cherry picked from commit 17b77bb)

Co-authored-by: Jason R. Coombs <[email protected]>
@ambv ambv closed this as completed Sep 4, 2024
@obfusk
Copy link
Contributor Author

obfusk commented Sep 5, 2024

Advertise that zipfile.Path does not do any name sanitization and it's the responsibility of the caller to check the inputs, etc.

I think documenting the caveats would be good.

zipfile.Path could provide its own traversal that could offer some safety checks.

Something like that might be nice. Though perhaps it could be more generic instead of being part of zipfile.Path, even if zipfile.Path would then perhaps provide an extraction API using that?

@jaraco
Copy link
Member

jaraco commented Sep 5, 2024

I opened two issues to track. I'm not planning on driving them, but I'm happy to guide and advise. Feel free to take one or both on, or help drive the conversation toward something that's acceptable. Thanks.

@obfusk
Copy link
Contributor Author

obfusk commented Sep 5, 2024

Thanks. I have too many other projects to work on currently to take this on, but happy to comment and review when I can :)

@abj101
Copy link

abj101 commented Sep 7, 2024

Hi,

I'm new to contributing in general and have some experience in programming. I wanted to start by helping with documentation. How can I get started on this?

@ZeroIntensity
Copy link
Member

I don't think there's anything here that needs documentation updates, since it's a bugfix. You should take a look at the devguide.

@obfusk
Copy link
Contributor Author

obfusk commented Sep 7, 2024

I don't think there's anything here that needs documentation updates, since it's a bugfix.

But #123726 is about updating the documentation to explain the caveats regarding name sanitation as a result of the discussion here :)

kai687 pushed a commit to kai687/sphinxawesome-theme that referenced this issue Sep 16, 2024
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's
changelog</a>.</em></p>
<blockquote>
<h1>v3.20.2</h1>
<h2>Bugfixes</h2>
<ul>
<li>Make zipp.compat.overlay.zipfile hashable. (<a
href="https://redirect.github.com/jaraco/zipp/issues/126">#126</a>)</li>
</ul>
<h1>v3.20.1</h1>
<h2>Bugfixes</h2>
<ul>
<li><code>python/cpython#123270</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jaraco/zipp/commit/a575660e5c76daca0924f6e9520fd7109e05f424"><code>a575660</code></a>
Make no assertions about the number. It could be negative.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0b3a1b9ddbc8d9f646d51810b082711bf03261c7"><code>0b3a1b9</code></a>
Finalize</li>
<li><a
href="https://github.com/jaraco/zipp/commit/a4c79614a52f34d2999246d807538d46e5986feb"><code>a4c7961</code></a>
Make zipp.compat.overlay.zipfile hashable.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/d66007a66b7dbd88e69eaf59faae8b614cba256d"><code>d66007a</code></a>
Merge <a
href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li>
<li><a
href="https://github.com/jaraco/zipp/commit/3fe8c5ba792fd58a5a24eef4e8a845f3b5dd6c2c"><code>3fe8c5b</code></a><code>jaraco/skeleton#146</code></li>
<li><a
href="https://github.com/jaraco/zipp/commit/81b766c06cc83679c4a04c2bfa6d2c8cc559bf33"><code>81b766c</code></a>
Fix an incompatibility (and source of merge conflicts) with projects
using Ru...</li>
<li><a
href="https://github.com/jaraco/zipp/commit/b8a63ca4b77d28eb808c457ec781ed3f8ba50671"><code>b8a63ca</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/125">#125</a> from
saschanaz/patch-1</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0b95ec706308342782231a9be2acd98be7ccf996"><code>0b95ec7</code></a>
Suppress F821</li>
<li><a
href="https://github.com/jaraco/zipp/commit/5d2fa666ffae2e89a6e4ccbc5ed9b3a5b8d64fc0"><code>5d2fa66</code></a>
Merge <a
href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li>
<li><a
href="https://github.com/jaraco/zipp/commit/a675458e1a7d6ae81d0d441338a74dc98ffc5a61"><code>a675458</code></a>
Allow the workflow to be triggered manually.</li>
<li>Additional commits viewable in <a
href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
shaldengeki pushed a commit to shaldengeki/monorepo that referenced this issue Sep 30, 2024
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's
changelog</a>.</em></p>
<blockquote>
<h1>v3.20.2</h1>
<h2>Bugfixes</h2>
<ul>
<li>Make zipp.compat.overlay.zipfile hashable. (<a
href="https://redirect.github.com/jaraco/zipp/issues/126">#126</a>)</li>
</ul>
<h1>v3.20.1</h1>
<h2>Bugfixes</h2>
<ul>
<li><code>python/cpython#123270</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jaraco/zipp/commit/a575660e5c76daca0924f6e9520fd7109e05f424"><code>a575660</code></a>
Make no assertions about the number. It could be negative.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0b3a1b9ddbc8d9f646d51810b082711bf03261c7"><code>0b3a1b9</code></a>
Finalize</li>
<li><a
href="https://github.com/jaraco/zipp/commit/a4c79614a52f34d2999246d807538d46e5986feb"><code>a4c7961</code></a>
Make zipp.compat.overlay.zipfile hashable.</li>
<li><a
href="https://github.com/jaraco/zipp/commit/d66007a66b7dbd88e69eaf59faae8b614cba256d"><code>d66007a</code></a>
Merge <a
href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li>
<li><a
href="https://github.com/jaraco/zipp/commit/3fe8c5ba792fd58a5a24eef4e8a845f3b5dd6c2c"><code>3fe8c5b</code></a><code>jaraco/skeleton#146</code></li>
<li><a
href="https://github.com/jaraco/zipp/commit/81b766c06cc83679c4a04c2bfa6d2c8cc559bf33"><code>81b766c</code></a>
Fix an incompatibility (and source of merge conflicts) with projects
using Ru...</li>
<li><a
href="https://github.com/jaraco/zipp/commit/b8a63ca4b77d28eb808c457ec781ed3f8ba50671"><code>b8a63ca</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/125">#125</a> from
saschanaz/patch-1</li>
<li><a
href="https://github.com/jaraco/zipp/commit/0b95ec706308342782231a9be2acd98be7ccf996"><code>0b95ec7</code></a>
Suppress F821</li>
<li><a
href="https://github.com/jaraco/zipp/commit/5d2fa666ffae2e89a6e4ccbc5ed9b3a5b8d64fc0"><code>5d2fa66</code></a>
Merge <a
href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li>
<li><a
href="https://github.com/jaraco/zipp/commit/a675458e1a7d6ae81d0d441338a74dc98ffc5a61"><code>a675458</code></a>
Allow the workflow to be triggered manually.</li>
<li>Additional commits viewable in <a
href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

6 participants