Explicitly pass filter to TarFile.extractall on Python >=3.12 (#458)

Pass a `filter="data"` argument to `TarFile.extractall` to prevent dangerous security issues. The `filter` argument was added in Python 3.12, so only pass it on versions greater or equal than that. This change matches the default behaviour that will take place since Python 3.14.
fatiando · Jan 24, 2025 · f6cbd82 · f6cbd82
1 parent 5860444
commit f6cbd82
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/pooch/processors.py b/pooch/processors.py
@@ -8,12 +8,14 @@
 """
 Post-processing hooks
 """
+
 import abc
 import os
 import bz2
 import gzip
 import lzma
 import shutil
+import sys
 from zipfile import ZipFile
 from tarfile import TarFile
 
@@ -253,13 +255,14 @@ def _extract_file(self, fname, extract_dir):
         This method receives an argument for the archive to extract and the
         destination path.
         """
+        filter_kwarg = {} if sys.version_info < (3, 12) else {"filter": "data"}
         with TarFile.open(fname, "r") as tar_file:
             if self.members is None:
                 get_logger().info(
                     "Untarring contents of '%s' to '%s'", fname, extract_dir
                 )
                 # Unpack all files from the archive into our new folder
-                tar_file.extractall(path=extract_dir)
+                tar_file.extractall(path=extract_dir, **filter_kwarg)
             else:
                 for member in self.members:
                     get_logger().info(
@@ -281,7 +284,9 @@ def _extract_file(self, fname, extract_dir):
                         )
                     ]
                     # Extract the data file from within the archive
-                    tar_file.extractall(members=subdir_members, path=extract_dir)
+                    tar_file.extractall(
+                        members=subdir_members, path=extract_dir, **filter_kwarg
+                    )
 
 
 class Decompress:  # pylint: disable=too-few-public-methods

diff --git a/pyproject.toml b/pyproject.toml
@@ -38,6 +38,7 @@ dependencies = [
 progress = ["tqdm>=4.41.0,<5.0.0"]
 sftp = ["paramiko>=2.7.0"]
 xxhash = ["xxhash>=1.4.3"]
+test = ["pytest-httpserver", "pytest-localftpserver"]
 
 [project.urls]
 "Documentation" = "https://www.fatiando.org/pooch"