Patch #1262036: Prevent TarFiles from being added to themselves under

certain conditions.

(backport from rev. 53155)

Moved message from my previous change to the right place in
Misc/NEWS.

3 files changed, 26 insertions, 30 deletions

diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index cffde45..4a41d9f 100644
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1044,7 +1044,7 @@ class TarFile(object):
            can be determined, `mode' is overridden by `fileobj's mode.
            `fileobj' is not closed, when TarFile is closed.
         """
-        self.name = name
+        self.name = os.path.abspath(name)
 
         if len(mode) > 1 or mode not in "raw":
             raise ValueError("mode must be 'r', 'a' or 'w'")
@@ -1056,7 +1056,7 @@ class TarFile(object):
             self._extfileobj = False
         else:
             if self.name is None and hasattr(fileobj, "name"):
-                self.name = fileobj.name
+                self.name = os.path.abspath(fileobj.name)
             if hasattr(fileobj, "mode"):
                 self.mode = fileobj.mode
             self._extfileobj = True
@@ -1192,24 +1192,12 @@ class TarFile(object):
         except (ImportError, AttributeError):
             raise CompressionError("gzip module is not available")
 
-        pre, ext = os.path.splitext(name)
-        pre = os.path.basename(pre)
-        if ext == ".tgz":
-            ext = ".tar"
-        if ext == ".gz":
-            ext = ""
-        tarname = pre + ext
-
         if fileobj is None:
             fileobj = file(name, mode + "b")
 
-        if mode != "r":
-            name = tarname
-
         try:
-            t = cls.taropen(tarname, mode,
-                gzip.GzipFile(name, mode, compresslevel, fileobj)
-            )
+            t = cls.taropen(name, mode,
+                gzip.GzipFile(name, mode, compresslevel, fileobj))
         except IOError:
             raise ReadError("not a gzip file")
         t._extfileobj = False
@@ -1228,21 +1216,13 @@ class TarFile(object):
         except ImportError:
             raise CompressionError("bz2 module is not available")
 
-        pre, ext = os.path.splitext(name)
-        pre = os.path.basename(pre)
-        if ext == ".tbz2":
-            ext = ".tar"
-        if ext == ".bz2":
-            ext = ""
-        tarname = pre + ext
-
         if fileobj is not None:
             fileobj = _BZ2Proxy(fileobj, mode)
         else:
             fileobj = bz2.BZ2File(name, mode, compresslevel=compresslevel)
 
         try:
-            t = cls.taropen(tarname, mode, fileobj)
+            t = cls.taropen(name, mode, fileobj)
         except IOError:
             raise ReadError("not a bzip2 file")
         t._extfileobj = False
@@ -1447,8 +1427,7 @@ class TarFile(object):
             arcname = name
 
         # Skip if somebody tries to archive the archive...
-        if self.name is not None \
-            and os.path.abspath(name) == os.path.abspath(self.name):
+        if self.name is not None and os.path.abspath(name) == self.name:
             self._dbg(2, "tarfile: Skipped %r" % name)
             return
 
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index f229fa5..fbcd191 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -290,6 +290,20 @@ class WriteTest(BaseTest):
             else:
                 self.dst.addfile(tarinfo, f)
 
+    def test_add_self(self):
+        dstname = os.path.abspath(self.dstname)
+
+        self.assertEqual(self.dst.name, dstname, "archive name must be absolute")
+
+        self.dst.add(dstname)
+        self.assertEqual(self.dst.getnames(), [], "added the archive to itself")
+
+        cwd = os.getcwd()
+        os.chdir(dirname())
+        self.dst.add(dstname)
+        os.chdir(cwd)
+        self.assertEqual(self.dst.getnames(), [], "added the archive to itself")
+
 
 class Write100Test(BaseTest):
     # The name field in a tar header stores strings of at most 100 chars.
diff --git a/Misc/NEWS b/Misc/NEWS
index f8fc7a7..205ea40 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -122,6 +122,12 @@ Extension Modules
 Library
 -------
 
+- Patch #1262036: Prevent TarFiles from being added to themselves under
+  certain conditions.
+
+- Patch #1230446: tarfile.py: fix ExFileObject so that read() and tell()
+  work correctly together with readline().
+
 - Bug #737202: Make CGIHTTPServer work for scripts in subdirectories.
   Fix by Titus Brown.
 
@@ -620,9 +626,6 @@ Core and builtins
 Library
 -------
 
-- Patch #1230446: tarfile.py: fix ExFileObject so that read() and tell()
-  work correctly together with readline().
-
 - Correction of patch #1455898: In the mbcs decoder, set final=False
   for stream decoder, but final=True for the decode function.