[3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454)backport-5a8d121-3.5

Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_devan@mail.com>
author: Rishi <rishi_devan@mail.com> 2020-07-15 13:51:00 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2020-07-15 17:28:12 +0200
commit: bde4372aa1f39803f5c33f1415e88b000d403d00 (patch)
tree: 9532089be9064f42f8e6a4a22bcac186fe8c3445 /Lib/test/test_tarfile.py
parent: f52bf62fe12d46267e958f80dbe1f4425b55cd0f (diff)
download: cpython-git-backport-5a8d121-3.5.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index 1efb841bb2..2438fd3abf 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -394,6 +394,13 @@ class CommonReadTest(ReadTest):
                 with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
                     tar.extractfile(t).read()
 
+    def test_length_zero_header(self):
+        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
+        # with an exception
+        with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
+            with tarfile.open(support.findfile('recursion.tar')) as tar:
+                pass
+
 class MiscReadTestBase(CommonReadTest):
     def requires_name_attribute(self):
         pass
author	Rishi <rishi_devan@mail.com>	2020-07-15 13:51:00 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2020-07-15 17:28:12 +0200
commit	bde4372aa1f39803f5c33f1415e88b000d403d00 (patch)
tree	9532089be9064f42f8e6a4a22bcac186fe8c3445 /Lib/test/test_tarfile.py
parent	f52bf62fe12d46267e958f80dbe1f4425b55cd0f (diff)
download	cpython-git-backport-5a8d121-3.5.tar.gz