|
| 1 | +From 4478bc8cfa1c40dbf62b9744c52a25b7709e6406 Mon Sep 17 00:00:00 2001 |
| 2 | +From: AllSpark <allspark@microsoft.com> |
| 3 | +Date: Mon, 30 Mar 2026 11:20:24 +0000 |
| 4 | +Subject: [PATCH] Backport: Use mkstemp to extract zip members to temp file to |
| 5 | + avoid path issues and race conditions |
| 6 | + |
| 7 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 8 | +Upstream-reference: AI Backport of https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7.patch |
| 9 | +--- |
| 10 | + requests/utils.py | 13 +++++++------ |
| 11 | + 1 file changed, 7 insertions(+), 6 deletions(-) |
| 12 | + |
| 13 | +diff --git a/requests/utils.py b/requests/utils.py |
| 14 | +index cb9d01d..1bf4d1f 100644 |
| 15 | +--- a/requests/utils.py |
| 16 | ++++ b/requests/utils.py |
| 17 | +@@ -264,12 +264,13 @@ def extract_zipped_paths(path): |
| 18 | + return path |
| 19 | + |
| 20 | + # we have a valid zip archive and a valid member of that archive |
| 21 | +- tmp = tempfile.gettempdir() |
| 22 | +- extracted_path = os.path.join(tmp, member.split('/')[-1]) |
| 23 | +- if not os.path.exists(extracted_path): |
| 24 | +- # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition |
| 25 | +- with atomic_open(extracted_path) as file_handler: |
| 26 | +- file_handler.write(zip_file.read(member)) |
| 27 | ++ suffix = os.path.splitext(member.split("/")[-1])[-1] |
| 28 | ++ fd, extracted_path = tempfile.mkstemp(suffix=suffix) |
| 29 | ++ try: |
| 30 | ++ os.write(fd, zip_file.read(member)) |
| 31 | ++ finally: |
| 32 | ++ os.close(fd) |
| 33 | ++ |
| 34 | + return extracted_path |
| 35 | + |
| 36 | + |
| 37 | +-- |
| 38 | +2.45.4 |
| 39 | + |
0 commit comments