-
-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zipfile.Path regression #123270
Comments
Paths like >>> import io, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo//bar", "text")
>>> zf.namelist()
['foo//bar']
>>> p = zipfile.Path(zf)
>>> p.root.namelist() # before: ['foo//bar', 'foo/']
['foo/bar', 'foo/']
>>> x = p / "foo//bar"
>>> y = p / "foo" / "bar"
>>> x.exists() # before: True
False
>>> y.exists() # before: False
True
>>> x.read_text() # before: works, returns 'text'
FileNotFoundError: ...
>>> y.read_text() # before: FileNotFoundError
KeyError: "There is no item named 'foo/bar' in the archive" >>> import io, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo\\bar", "text")
>>> zf.namelist()
['foo\\bar']
>>> p = zipfile.Path(zf)
>>> p.root.namelist() # before: ['foo\\bar']
['foo/bar', 'foo/']
>>> x = p / "foo\\bar"
>>> y = p / "foo" / "bar"
>>> x.exists() # before: True
False
>>> y.exists() # before: False
True
>>> x.read_text() # before: works, returns 'text'
FileNotFoundError: ...
>>> y.read_text() # before: FileNotFoundError
KeyError: "There is no item named 'foo/bar' in the archive" |
cc @jaraco |
Sanitising is good. But e.g. |
# before
>>> import io, os, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo/bar", "one")
>>> zf.writestr("foo\\bar", "two")
>>> zf.namelist()
['foo/bar', 'foo\\bar']
>>> zf.extractall("a")
>>> os.system("tree a")
a
├── foo
│ └── bar
└── foo\bar
>>> p = zipfile.Path(zf)
>>> p.root.namelist()
['foo/bar', 'foo\\bar', 'foo/']
>>> (p / "foo" / "bar").read_text()
'one'
>>> (p / "foo\\bar").read_text()
'two'
# after
>>> import io, os, zipfile
>>> zf = zipfile.ZipFile(io.BytesIO(), "w")
>>> zf.writestr("foo/bar", "one")
>>> zf.writestr("foo\\bar", "two")
>>> p = zipfile.Path(zf)
>>> zf.namelist()
['foo/bar', 'foo/bar', 'foo/']
>>> zf.extractall("a")
>>> os.system("tree a")
a
└── foo
└── bar
>>> (p / "foo" / "bar").read_text()
'one'
>>> (p / "foo\\bar").read_text()
FileNotFoundError: ... |
Keeping a |
My expectation was that paths affected by sanitizing would not be supported.
My goal is to provide a (perhaps constrained) interface that's portable and provides consistent behavior independent of platform. I'll have to think about this some more
I was not expecting that Can you say more about the use-cases that are affected by these paths? What causes these zip files to exist? What does the author of such a zip file expect to happen when consumed by a zipfile client? |
Are these file names common? Maybe not. But on Linux these are perfectly acceptable file names. And whilst they may indeed cause portability issues for Windows users and I would thus avoid them when creating ZIP files for use on Windows, the ZIP format also considers them perfectly acceptable. I myself have quite a few music files with odd file names; song titles can be quite varied. And whilst I've sometimes run into problems extracting those files on other operating systems I have never had issues creating or listing ZIP files. File names like
Tools like I generally expect to be able to take any directory tree and turn it into a ZIP file without having to worry about file names containing colons or backslashes. Or at the most that I might need to be careful when extracting them on Windows. I would not expect to have problems merely listing the contents, especially when not even using Windows. So it is very surprising when |
And my expectation would be that such paths would be either explicitly rejected as malformed if they cannot reasonably be supported. Or when they can be, handled gracefully with a portable interface that maps sanitised names providing a consistent interface that can reasonably be supported onto the underlying file names instead of simply causing attempts to read files to fail because the underlying file name does not match the sanitised one. And before this change, |
This worked perfectly fine before. Now it raises >>> zf = zipfile.ZipFile("foo.zip", "r")
>>> zf.namelist()
['d:/', 'd:/foo\\bar']
>>> p = zipfile.Path(zf)
>>> (p / "d:").is_dir()
True
>>> (p / "d:" / "foo\\bar").read_text()
'Hi!\n' And if >>> (p / "d" / "foo" / "bar").is_file()
True
>>> (p / "d" / "foo" / "bar").read_text()
KeyError: "There is no item named 'd/foo/bar' in the archive" |
Note that it's not just Meanwhile, this seems incorrect: >>> zipfile._path.SanitizedNames._sanitize("d:/foo")
'd/foo'
>>> zipfile._path.SanitizedNames._sanitize("/d:/foo")
'd:/foo' |
Meanwhile, as I posted here, the only fix needed for the infinite loop would be the loop condition here: cpython/Lib/zipfile/_path/__init__.py Lines 53 to 55 in 52caaef
This should work: while path and path != posixpath.sep * len(path):
yield path
path, tail = posixpath.split(path) Or this: while path:
yield path
head, tail = posixpath.split(path)
if head == path:
break
path = head |
It seems I've stumbled into a hornets nest. When I received the report about the infinite loops, my objective was to try to understand the broader problem and not simply address an issue with the infinite loops. I sought to figure out why
Yeah, that's unfortunate, but I think zipfile.Path does not wish to support this name because it isn't valid on commonly-found operating systems... or to support the name, but in a uniform way. In my opinion, it's more desirable to have a consistent behavior than to have varying behavior depending on platform. On the other hand, supporting this name for traversal on any operating system should be fine, right up until the point that these files are manifest on the file system, such as
Yes, I agree. Probably all colons should be disallowed.
That's a good point, and not something I considered when sanitizing, and really suggests that sanitizing early is much more complicated than it sounds.
The more I think about it, the more I'm liking this approach. Leave the path segments unaffected and let them fail if the user uses a name that's not valid on a platform. In that way, the path The real problem, I think, is that we also want to protect against other separators, like Should zipfile.Path consider
So it seems reasonable to just treat backslashes and dots and everything else as part of the path segment and not a path separator, and let the OS fail if anything attempts to create those as files or directories in the system (e.g. I'm now convinced, |
In jaraco/zipp#124, I've started work on the issue. |
…slash. Alternate and more surgical fix for #119. Ref python/cpython#123270
…slash. Alternate and more surgical fix for #119. Ref python/cpython#123270
…slash. Alternate and more surgical fix for #119. Ref python/cpython#123270
I tried applying this, and it does address the infinite loop. I ended up using In jaraco/zipp@0a3a7b4, I had to adjust the expectation for |
Using
One of several essentially equivalent fixes (assuming no change in behaviour of |
I found something I think I like even better: diff --git a/zipp/__init__.py b/zipp/__init__.py
index 0b7b44325fe..a3f0b1b481f 100644
--- a/zipp/__init__.py
+++ b/zipp/__init__.py
@@ -65,7 +65,7 @@ def _ancestry(path):
['//b//d///f', '//b//d', '//b']
"""
path = path.rstrip(posixpath.sep)
- while path and not path.endswith(posixpath.sep):
+ while path.rstrip(posixpath.sep):
yield path
path, tail = posixpath.split(path)
Because it combines the check for "empty" and "is only slashes" into one check. |
Is the plan to revert #122906 from all the security branches, and just put the fix for this on >3.11? Or is this going to be backported into all the security-only versions as well? |
My plan is to apply the change to security-only versions. Reverting the change would revive the vulnerability. |
Thanks for raising this concern. I was thinking about it too, and here's my thinking: Because of the way that |
I agree that the specific code from |
Yeah, that does appear potentially problemmatic. I see a few possible options:
To be sure, the draft as proposed does still address the originally-reported vulnerability, so it's not a regression in security from that perspective, but still it would be nice not to open up prospects for other vulnerabilities. |
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's changelog</a>.</em></p> <blockquote> <h1>v3.20.1</h1> <h2>Bugfixes</h2> <ul> <li><code>python/cpython#123270</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jaraco/zipp/commit/c23e5498d156fabfadcb26453dc363ef7d26e51a"><code>c23e549</code></a> Finalize</li> <li><a href="https://github.com/jaraco/zipp/commit/c2b9015366cf3f3b67a4e88c75833b9e3f498826"><code>c2b9015</code></a> Merge pull request <a href="https://redirect.github.com/jaraco/zipp/issues/124">#124</a> from jaraco/bugfix/gh-123270-supported-names</li> <li><a href="https://github.com/jaraco/zipp/commit/774a3ac67f5b827684e8c3b2e03c5f8bbb440593"><code>774a3ac</code></a> Add TODO to consolidate this behavior in CPython.</li> <li><a href="https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09"><code>cc61e61</code></a> Prefer simpler path.rstrip to consolidate checks for empty or only paths.</li> <li><a href="https://github.com/jaraco/zipp/commit/bec712f098666b1767502d793d36b51afd0d7e94"><code>bec712f</code></a> Mark unused code as uncovered.</li> <li><a href="https://github.com/jaraco/zipp/commit/fde82dcfdea5722c5126e83921773c629a8ba400"><code>fde82dc</code></a> Add news fragment.</li> <li><a href="https://github.com/jaraco/zipp/commit/a421f7e38d88ca9b6b58c89c6b3f141c07fdc588"><code>a421f7e</code></a> Invent DirtyZipInfo to create an unsanitized zipfile with backslashes.</li> <li><a href="https://github.com/jaraco/zipp/commit/0a3a7b4652e417f61de2458506d05570e22df018"><code>0a3a7b4</code></a> Refine expectation that paths with leading slashes are simply not visible.</li> <li><a href="https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48"><code>f89b93f</code></a> Address infinite loop when zipfile begins with more than one leading slash.</li> <li><a href="https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876"><code>3cb5609</code></a> Removed SanitizedNames.</li> <li>Additional commits viewable in <a href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…fix. (pythonGH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) Co-authored-by: Jason R. Coombs <[email protected]>
…rgical fix. (pythonGH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) Co-authored-by: Jason R. Coombs <[email protected]>
…gical fix. (pythonGH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) Co-authored-by: Jason R. Coombs <[email protected]>
…re surgical fix. (pythonGH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) (cherry picked from commit 66d3383) Co-authored-by: Jason R. Coombs <[email protected]>
…H-123354) (#123410) gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) Co-authored-by: Jason R. Coombs <[email protected]>
…H-123354) (#123411) gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) Co-authored-by: Jason R. Coombs <[email protected]>
…3612) Bumps the minor-python group in /shared_requirements with 7 updates: | Package | From | To | | --- | --- | --- | | [certifi](https://github.com/certifi/python-certifi) | `2024.7.4` | `2024.8.30` | | [googleapis-common-protos[grpc]](https://github.com/googleapis/python-api-common-protos) | `1.63.2` | `1.65.0` | | [grpcio-status](https://grpc.io) | `1.66.0` | `1.66.1` | | [grpcio](https://github.com/grpc/grpc) | `1.66.0` | `1.66.1` | | [numpy](https://github.com/numpy/numpy) | `2.0.1` | `2.1.0` | | [pylint](https://github.com/pylint-dev/pylint) | `3.2.6` | `3.2.7` | | [zipp](https://github.com/jaraco/zipp) | `3.20.0` | `3.20.1` | Updates `certifi` from 2024.7.4 to 2024.8.30 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/certifi/python-certifi/commit/325c2fde4f8eec10d682b09f3b0414dc05e69a81"><code>325c2fd</code></a> 2024.08.30 (<a href="https://redirect.github.com/certifi/python-certifi/issues/304">#304</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/d66bf5fccbb2b13b033841ef86ad261ab9915833"><code>d66bf5f</code></a> Bump actions/upload-artifact from 4.3.5 to 4.3.6 (<a href="https://redirect.github.com/certifi/python-certifi/issues/302">#302</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/2150f23ee178c923fb05913e516d168dd841f9e3"><code>2150f23</code></a> Bump actions/upload-artifact from 4.3.4 to 4.3.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/301">#301</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/fc9b771c1e5bd5f0f97534464c16a6ab785d5592"><code>fc9b771</code></a> Bump actions/setup-python from 5.1.0 to 5.1.1 (<a href="https://redirect.github.com/certifi/python-certifi/issues/300">#300</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/965b2391df4bdce03fb07bf8cc19003585b43599"><code>965b239</code></a> Bump actions/download-artifact from 4.1.7 to 4.1.8 (<a href="https://redirect.github.com/certifi/python-certifi/issues/297">#297</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/c1f50ccd010b428caeb105255638e67be7c64f5c"><code>c1f50cc</code></a> Bump actions/upload-artifact from 4.3.3 to 4.3.4 (<a href="https://redirect.github.com/certifi/python-certifi/issues/296">#296</a>)</li> <li>See full diff in <a href="https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30">compare view</a></li> </ul> </details> <br /> Updates `googleapis-common-protos[grpc]` from 1.63.2 to 1.65.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/googleapis/python-api-common-protos/releases">googleapis-common-protos[grpc]'s releases</a>.</em></p> <blockquote> <h2>v1.65.0</h2> <h2><a href="https://github.com/googleapis/python-api-common-protos/compare/v1.64.0...v1.65.0">1.65.0</a> (2024-08-27)</h2> <h3>Features</h3> <ul> <li>Add field <code>experimental_features</code> to message <code>PythonSettings</code> (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>) (<a href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619">139490f</a>)</li> </ul> <h2>v1.64.0</h2> <h2><a href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.64.0">1.64.0</a> (2024-08-26)</h2> <h3>Features</h3> <ul> <li>Add FieldInfo.referenced_types for generics (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>Un-deprecate Endpoint.aliases field (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Fix formatting in http.proto comments (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Improve MethodSettings selector examples (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Reformat comments in context proto (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Update ResourceDescriptor.plural docs with AIP-122 nested collections guidance (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/googleapis/python-api-common-protos/blob/main/CHANGELOG.md">googleapis-common-protos[grpc]'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/googleapis/python-api-common-protos/compare/v1.64.0...v1.65.0">1.65.0</a> (2024-08-27)</h2> <h3>Features</h3> <ul> <li>Add field <code>experimental_features</code> to message <code>PythonSettings</code> (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>) (<a href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619">139490f</a>)</li> </ul> <h2><a href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.64.0">1.64.0</a> (2024-08-26)</h2> <h3>Features</h3> <ul> <li>Add FieldInfo.referenced_types for generics (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>Un-deprecate Endpoint.aliases field (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Fix formatting in http.proto comments (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Improve MethodSettings selector examples (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Reformat comments in context proto (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> <li>Update ResourceDescriptor.plural docs with AIP-122 nested collections guidance (<a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be">2ba3577</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/f30115b7302afc91bf06f210a270a6530b7fafdf"><code>f30115b</code></a> chore(main): release 1.65.0 (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/250">#250</a>)</li> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/139490fedcebf1a6674d9cf058226e6814208619"><code>139490f</code></a> feat: Add field <code>experimental_features</code> to message <code>PythonSettings</code> (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/249">#249</a>)</li> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/9099f715cd7fa6b5d796c8ceddcb852e367b2bc2"><code>9099f71</code></a> chore(main): release 1.64.0 (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/248">#248</a>)</li> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/2ba35774cb6ea31513b1985e3a391c5c3435e7be"><code>2ba3577</code></a> feat: add FieldInfo.referenced_types for generics (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/247">#247</a>)</li> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/f949829be77f2d4e3fde59ddc4e15cbfc60639c8"><code>f949829</code></a> chore(python): use python 3.10 for docs build (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/243">#243</a>)</li> <li><a href="https://github.com/googleapis/python-api-common-protos/commit/996bf2bffa13ed2ffb6dd0321c84a0c132802eb7"><code>996bf2b</code></a> chore: update templated files (<a href="https://redirect.github.com/googleapis/python-api-common-protos/issues/239">#239</a>)</li> <li>See full diff in <a href="https://github.com/googleapis/python-api-common-protos/compare/v1.63.2...v1.65.0">compare view</a></li> </ul> </details> <br /> Updates `grpcio-status` from 1.66.0 to 1.66.1 Updates `grpcio` from 1.66.0 to 1.66.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc/releases">grpcio's releases</a>.</em></p> <blockquote> <h2>Release v1.66.1</h2> <p>This is release gRPC Core 1.66.1 (gladiator).</p> <p>For gRPC documentation, see <a href="https://grpc.io/">grpc.io</a>. For previous releases, see <a href="https://github.com/grpc/grpc/releases">Releases</a>.</p> <p>This release contains refinements, improvements, and bug fixes.</p> <h1>Core</h1> <ul> <li>Enable EDS dualstack support by default (<a href="https://redirect.github.com/grpc/grpc/pull/37545">grpc/grpc#37545</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc/commit/e821cdc231bda9ee93139a6daab6311dd8953832"><code>e821cdc</code></a> [Release] Bump version to 1.66.1 (on v1.66.x branch) (<a href="https://redirect.github.com/grpc/grpc/issues/37570">#37570</a>)</li> <li><a href="https://github.com/grpc/grpc/commit/c8ada9c7ee26074392f7cacefda01d1016d9f9d7"><code>c8ada9c</code></a> [dualstack] enable EDS dualstack support by default (backport to 1.66.x) (<a href="https://redirect.github.com/grpc/grpc/issues/37">#37</a>...</li> <li>See full diff in <a href="https://github.com/grpc/grpc/compare/v1.66.0...v1.66.1">compare view</a></li> </ul> </details> <br /> Updates `numpy` from 2.0.1 to 2.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/numpy/numpy/releases">numpy's releases</a>.</em></p> <blockquote> <h2>2.1.0 (Aug 18, 2024)</h2> <h1>NumPy 2.1.0 Release Notes</h1> <p>NumPy 2.1.0 provides support for the upcoming Python 3.13 release and drops support for Python 3.9. In addition to the usual bug fixes and updated Python support, it helps get us back into our usual release cycle after the extended development of 2.0. The highlights for this release are:</p> <ul> <li>Support for the array-api 2023.12 standard.</li> <li>Support for Python 3.13.</li> <li>Preliminary support for free threaded Python 3.13.</li> </ul> <p>Python versions 3.10-3.13 are supported in this release.</p> <h2>New functions</h2> <h3>New function <code>numpy.unstack</code></h3> <p>A new function <code>np.unstack(array, axis=...)</code> was added, which splits an array into a tuple of arrays along an axis. It serves as the inverse of [numpy.stack]{.title-ref}.</p> <p>(<a href="https://redirect.github.com/numpy/numpy/pull/26579">gh-26579</a>)</p> <h2>Deprecations</h2> <ul> <li> <p>The <code>fix_imports</code> keyword argument in <code>numpy.save</code> is deprecated. Since NumPy 1.17, <code>numpy.save</code> uses a pickle protocol that no longer supports Python 2, and ignored <code>fix_imports</code> keyword. This keyword is kept only for backward compatibility. It is now deprecated.</p> <p>(<a href="https://redirect.github.com/numpy/numpy/pull/26452">gh-26452</a>)</p> </li> <li> <p>Passing non-integer inputs as the first argument of [bincount]{.title-ref} is now deprecated, because such inputs are silently cast to integers with no warning about loss of precision.</p> <p>(<a href="https://redirect.github.com/numpy/numpy/pull/27076">gh-27076</a>)</p> </li> </ul> <h2>Expired deprecations</h2> <ul> <li> <p>Scalars and 0D arrays are disallowed for <code>numpy.nonzero</code> and <code>numpy.ndarray.nonzero</code>.</p> <p>(<a href="https://redirect.github.com/numpy/numpy/pull/26268">gh-26268</a>)</p> </li> <li> <p><code>set_string_function</code> internal function was removed and <code>PyArray_SetStringFunction</code> was stubbed out.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/numpy/numpy/commit/2f7fe64b8b6d7591dd208942f1cc74473d5db4cb"><code>2f7fe64</code></a> Merge pull request <a href="https://redirect.github.com/numpy/numpy/issues/27236">#27236</a> from charris/prepare-2.1.0</li> <li><a href="https://github.com/numpy/numpy/commit/b6f434f852e9d1ed4f7de9a3a465b38171d54a61"><code>b6f434f</code></a> REL: Prepare for the NumPy 2.1.0 release [wheel build]</li> <li><a href="https://github.com/numpy/numpy/commit/3cf93948797fb81fc251c26cb90d6c44f8374c54"><code>3cf9394</code></a> Merge pull request <a href="https://redirect.github.com/numpy/numpy/issues/27234">#27234</a> from charris/backport-25984</li> <li><a href="https://github.com/numpy/numpy/commit/7443dcc915fea1e905f354da511e9e60da82e19c"><code>7443dcc</code></a> Merge pull request <a href="https://redirect.github.com/numpy/numpy/issues/27233">#27233</a> from charris/backport-27223</li> <li><a href="https://github.com/numpy/numpy/commit/85b1cab2ad5f418cca485042478622ce13a497a7"><code>85b1cab</code></a> BUG: Allow fitting of degree zero polynomials with Polynomial.fit</li> <li><a href="https://github.com/numpy/numpy/commit/395a81dee5be52b2acff817e6f16652d23181fc3"><code>395a81d</code></a> DOC: reword discussion about shared arrays to hopefully be clearer</li> <li><a href="https://github.com/numpy/numpy/commit/5af2e965a02137cd05706d8d395d8263f395f7c7"><code>5af2e96</code></a> Move NUMUSERTYPES thread safety discussion to legacy DType API docs</li> <li><a href="https://github.com/numpy/numpy/commit/d902c24b684e8ba5370a160a375beaa77bae5032"><code>d902c24</code></a> DOC: add docs on thread safety in NumPy</li> <li><a href="https://github.com/numpy/numpy/commit/c080180fabc1f8fcde14c27e3df2de8fcbe7cf03"><code>c080180</code></a> Merge pull request <a href="https://redirect.github.com/numpy/numpy/issues/27229">#27229</a> from charris/backport-27226</li> <li><a href="https://github.com/numpy/numpy/commit/44ce7e8f7b43c1045ad78eecaac0435fff491fae"><code>44ce7e8</code></a> BUG: Fix <code>PyArray_ZeroContiguousBuffer</code> (resize) with struct dtypes</li> <li>Additional commits viewable in <a href="https://github.com/numpy/numpy/compare/v2.0.1...v2.1.0">compare view</a></li> </ul> </details> <br /> Updates `pylint` from 3.2.6 to 3.2.7 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pylint-dev/pylint/commit/a98215b8c6a6203dd56366bcfe1cd946fb41282a"><code>a98215b</code></a> Bump pylint to 3.2.7, update changelog</li> <li><a href="https://github.com/pylint-dev/pylint/commit/1deaffababe77e8a025e3b2e5d564d4feb8d987f"><code>1deaffa</code></a> Fix to maintain order of package paths (<a href="https://redirect.github.com/pylint-dev/pylint/issues/9887">#9887</a>) (<a href="https://redirect.github.com/pylint-dev/pylint/issues/9897">#9897</a>)</li> <li><a href="https://github.com/pylint-dev/pylint/commit/b4c2951e62c6ba8e061d4c001192efdedcb6f498"><code>b4c2951</code></a> [Backport maintenance/3.2.x] Fix a crash in <code>undefined-loop-variable</code> with `e...</li> <li><a href="https://github.com/pylint-dev/pylint/commit/f1925f46ff4c93e7d191d24746b601cfeb0b4e3c"><code>f1925f4</code></a> Fix crash in refactoring checker when calling bound lambda (<a href="https://redirect.github.com/pylint-dev/pylint/issues/9867">#9867</a>)</li> <li><a href="https://github.com/pylint-dev/pylint/commit/7d1626cf869dab1365150265bad45da7e4221bc1"><code>7d1626c</code></a> Fix a false positive <code>unreachable</code> for <code>NoReturn</code> coroutine functions (<a href="https://redirect.github.com/pylint-dev/pylint/issues/9844">#9844</a>)...</li> <li>See full diff in <a href="https://github.com/pylint-dev/pylint/compare/v3.2.6...v3.2.7">compare view</a></li> </ul> </details> <br /> Updates `zipp` from 3.20.0 to 3.20.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's changelog</a>.</em></p> <blockquote> <h1>v3.20.1</h1> <h2>Bugfixes</h2> <ul> <li><code>python/cpython#123270</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jaraco/zipp/commit/c23e5498d156fabfadcb26453dc363ef7d26e51a"><code>c23e549</code></a> Finalize</li> <li><a href="https://github.com/jaraco/zipp/commit/c2b9015366cf3f3b67a4e88c75833b9e3f498826"><code>c2b9015</code></a> Merge pull request <a href="https://redirect.github.com/jaraco/zipp/issues/124">#124</a> from jaraco/bugfix/gh-123270-supported-names</li> <li><a href="https://github.com/jaraco/zipp/commit/774a3ac67f5b827684e8c3b2e03c5f8bbb440593"><code>774a3ac</code></a> Add TODO to consolidate this behavior in CPython.</li> <li><a href="https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09"><code>cc61e61</code></a> Prefer simpler path.rstrip to consolidate checks for empty or only paths.</li> <li><a href="https://github.com/jaraco/zipp/commit/bec712f098666b1767502d793d36b51afd0d7e94"><code>bec712f</code></a> Mark unused code as uncovered.</li> <li><a href="https://github.com/jaraco/zipp/commit/fde82dcfdea5722c5126e83921773c629a8ba400"><code>fde82dc</code></a> Add news fragment.</li> <li><a href="https://github.com/jaraco/zipp/commit/a421f7e38d88ca9b6b58c89c6b3f141c07fdc588"><code>a421f7e</code></a> Invent DirtyZipInfo to create an unsanitized zipfile with backslashes.</li> <li><a href="https://github.com/jaraco/zipp/commit/0a3a7b4652e417f61de2458506d05570e22df018"><code>0a3a7b4</code></a> Refine expectation that paths with leading slashes are simply not visible.</li> <li><a href="https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48"><code>f89b93f</code></a> Address infinite loop when zipfile begins with more than one leading slash.</li> <li><a href="https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876"><code>3cb5609</code></a> Removed SanitizedNames.</li> <li>Additional commits viewable in <a href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.1">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ben Hammond <[email protected]>
…H-123354) (#123433) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) (cherry picked from commit 66d3383) Co-authored-by: Jason R. Coombs <[email protected]>
…H-123354) (#123432) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) Co-authored-by: Jason R. Coombs <[email protected]>
…H-123354) (#123425) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) Co-authored-by: Jason R. Coombs <[email protected]> * Restore the slash-prefixed paths in the malformed_paths test.
…H-123354) (#123426) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286) (cherry picked from commit 17b77bb) Co-authored-by: Jason R. Coombs <[email protected]>
I think documenting the caveats would be good.
Something like that might be nice. Though perhaps it could be more generic instead of being part of |
I opened two issues to track. I'm not planning on driving them, but I'm happy to guide and advise. Feel free to take one or both on, or help drive the conversation toward something that's acceptable. Thanks. |
Thanks. I have too many other projects to work on currently to take this on, but happy to comment and review when I can :) |
Hi, I'm new to contributing in general and have some experience in programming. I wanted to start by helping with documentation. How can I get started on this? |
I don't think there's anything here that needs documentation updates, since it's a bugfix. You should take a look at the devguide. |
But #123726 is about updating the documentation to explain the caveats regarding name sanitation as a result of the discussion here :) |
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's changelog</a>.</em></p> <blockquote> <h1>v3.20.2</h1> <h2>Bugfixes</h2> <ul> <li>Make zipp.compat.overlay.zipfile hashable. (<a href="https://redirect.github.com/jaraco/zipp/issues/126">#126</a>)</li> </ul> <h1>v3.20.1</h1> <h2>Bugfixes</h2> <ul> <li><code>python/cpython#123270</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jaraco/zipp/commit/a575660e5c76daca0924f6e9520fd7109e05f424"><code>a575660</code></a> Make no assertions about the number. It could be negative.</li> <li><a href="https://github.com/jaraco/zipp/commit/0b3a1b9ddbc8d9f646d51810b082711bf03261c7"><code>0b3a1b9</code></a> Finalize</li> <li><a href="https://github.com/jaraco/zipp/commit/a4c79614a52f34d2999246d807538d46e5986feb"><code>a4c7961</code></a> Make zipp.compat.overlay.zipfile hashable.</li> <li><a href="https://github.com/jaraco/zipp/commit/d66007a66b7dbd88e69eaf59faae8b614cba256d"><code>d66007a</code></a> Merge <a href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li> <li><a href="https://github.com/jaraco/zipp/commit/3fe8c5ba792fd58a5a24eef4e8a845f3b5dd6c2c"><code>3fe8c5b</code></a><code>jaraco/skeleton#146</code></li> <li><a href="https://github.com/jaraco/zipp/commit/81b766c06cc83679c4a04c2bfa6d2c8cc559bf33"><code>81b766c</code></a> Fix an incompatibility (and source of merge conflicts) with projects using Ru...</li> <li><a href="https://github.com/jaraco/zipp/commit/b8a63ca4b77d28eb808c457ec781ed3f8ba50671"><code>b8a63ca</code></a> Merge pull request <a href="https://redirect.github.com/jaraco/zipp/issues/125">#125</a> from saschanaz/patch-1</li> <li><a href="https://github.com/jaraco/zipp/commit/0b95ec706308342782231a9be2acd98be7ccf996"><code>0b95ec7</code></a> Suppress F821</li> <li><a href="https://github.com/jaraco/zipp/commit/5d2fa666ffae2e89a6e4ccbc5ed9b3a5b8d64fc0"><code>5d2fa66</code></a> Merge <a href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li> <li><a href="https://github.com/jaraco/zipp/commit/a675458e1a7d6ae81d0d441338a74dc98ffc5a61"><code>a675458</code></a> Allow the workflow to be triggered manually.</li> <li>Additional commits viewable in <a href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.0 to 3.20.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's changelog</a>.</em></p> <blockquote> <h1>v3.20.2</h1> <h2>Bugfixes</h2> <ul> <li>Make zipp.compat.overlay.zipfile hashable. (<a href="https://redirect.github.com/jaraco/zipp/issues/126">#126</a>)</li> </ul> <h1>v3.20.1</h1> <h2>Bugfixes</h2> <ul> <li><code>python/cpython#123270</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jaraco/zipp/commit/a575660e5c76daca0924f6e9520fd7109e05f424"><code>a575660</code></a> Make no assertions about the number. It could be negative.</li> <li><a href="https://github.com/jaraco/zipp/commit/0b3a1b9ddbc8d9f646d51810b082711bf03261c7"><code>0b3a1b9</code></a> Finalize</li> <li><a href="https://github.com/jaraco/zipp/commit/a4c79614a52f34d2999246d807538d46e5986feb"><code>a4c7961</code></a> Make zipp.compat.overlay.zipfile hashable.</li> <li><a href="https://github.com/jaraco/zipp/commit/d66007a66b7dbd88e69eaf59faae8b614cba256d"><code>d66007a</code></a> Merge <a href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li> <li><a href="https://github.com/jaraco/zipp/commit/3fe8c5ba792fd58a5a24eef4e8a845f3b5dd6c2c"><code>3fe8c5b</code></a><code>jaraco/skeleton#146</code></li> <li><a href="https://github.com/jaraco/zipp/commit/81b766c06cc83679c4a04c2bfa6d2c8cc559bf33"><code>81b766c</code></a> Fix an incompatibility (and source of merge conflicts) with projects using Ru...</li> <li><a href="https://github.com/jaraco/zipp/commit/b8a63ca4b77d28eb808c457ec781ed3f8ba50671"><code>b8a63ca</code></a> Merge pull request <a href="https://redirect.github.com/jaraco/zipp/issues/125">#125</a> from saschanaz/patch-1</li> <li><a href="https://github.com/jaraco/zipp/commit/0b95ec706308342782231a9be2acd98be7ccf996"><code>0b95ec7</code></a> Suppress F821</li> <li><a href="https://github.com/jaraco/zipp/commit/5d2fa666ffae2e89a6e4ccbc5ed9b3a5b8d64fc0"><code>5d2fa66</code></a> Merge <a href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li> <li><a href="https://github.com/jaraco/zipp/commit/a675458e1a7d6ae81d0d441338a74dc98ffc5a61"><code>a675458</code></a> Allow the workflow to be triggered manually.</li> <li>Additional commits viewable in <a href="https://github.com/jaraco/zipp/compare/v3.20.0...v3.20.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zipp&package-manager=pip&previous-version=3.20.0&new-version=3.20.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bug report
Bug description:
#122906 introduced a regression with directories that look like Windows drive letters (on Linux):
This is the result of
_sanitize()
unconditionally treating a directory that looks like a drive letter as such and removing the colon, regardless of operating system:cpython/Lib/zipfile/_path/__init__.py
Line 141 in 58fdb16
Whereas
_extract_member()
usesos.path.splitdrive()
(which is a no-op on Linux):cpython/Lib/zipfile/__init__.py
Line 1807 in 58fdb16
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs
The text was updated successfully, but these errors were encountered: