Skip to content

fix: refuse to write files outside the target directory during sdist extraction#10837

Merged
radoering merged 1 commit intopython-poetry:mainfrom
radoering:sdist-path-traversal
Apr 12, 2026
Merged

fix: refuse to write files outside the target directory during sdist extraction#10837
radoering merged 1 commit intopython-poetry:mainfrom
radoering:sdist-path-traversal

Conversation

@radoering
Copy link
Copy Markdown
Member

@radoering radoering commented Apr 12, 2026
edited
Loading

This has already been ensured with newer Python versions. Now, it is ensured with all supported versions, that means also with 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4.

Further, 3.9.17 has been removed from broken_tarfile_filter because we do not support Python 3.9 anymore.

In addition, test coverage is increased.

Note: A path traversal during sdist extraction is not as critical as it might seem because after extracting the sdist the project is built, which may result in arbitrary code execution by design.

Pull Request Check List

  • Added tests for changed code.
  • Updated documentation for changed code.

@radoering @kodareef5
fix: refuse to write files outside the target directory during sdist …
15d1872 
…extraction

This has already been ensured with newer Python versions. Now, it is ensured with all supported versions, that means also with 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4.

Co-authored-by: Koda Reef <kodareef5@gmail.com>
sourcery-ai[bot]
sourcery-ai bot reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@radoering radoering merged commit 47e9734 into python-poetry:main Apr 12, 2026
54 checks passed
radoering added a commit that referenced this pull request Apr 12, 2026
@radoering @kodareef5
fix: refuse to write files outside the target directory during sdist …
e512e7f 
…extraction (#10837)

This has already been ensured with newer Python versions. Now, it is ensured with all supported versions, that means also with 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4.

Co-authored-by: Koda Reef <kodareef5@gmail.com>
(cherry picked from commit 47e9734)
@dosubot
Copy link
Copy Markdown

dosubot bot commented Apr 12, 2026

Documentation Updates

1 document(s) were updated by changes in this PR:

CHANGELOG
View Changes 
@@ -1,4 +1,10 @@
 # Change Log
+
+## [Unreleased]
+
+### Fixed
+
+- **Fix a path traversal vulnerability in sdist extraction that could allow malicious tarball files to write files outside the target directory on Python 3.10.0-3.10.12 and 3.11.0-3.11.4** ([#10837](https://github.com/python-poetry/poetry/pull/10837)).
 
 ## [2.3.3] - 2026-03-29

How did I do? Any feedback?  Join Discord

@radoering radoering mentioned this pull request Apr 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@radoering