Version 0.4.2 of distlib has recently been released on PyPI. It contains important security hardening, so please update as soon as possible.
For newcomers, distlib is a library of packaging functionality which is intended to be usable as the basis for third-party packaging tools.
The main changes in this release are as follows:
-
In
locators, fix URL percent-encoding using space-padding instead of zero-padding. Thanks to Kadir Can Ozden for the patch. Also, harden decompression against malicious input. Thanks to tonghuaroot for the patch, which was adapted slightly. -
In
manifest, useos.lstatinfindallto correctly detect symlinked directories. Thanks to Kadir Can Ozden for the patch. -
In
metadata, improve logic to incorporate newer metadata versions. -
In
resources, ensure that constructed resource paths don’t escape the package. Thanks to tonghuaroot for the patch. -
Fix #255: Update
cache_from_source()for Python 3.15. Thanks to Victor Stinner
for the patch. -
In
util, check during unarchiving that the destination directory isn’t escaped via symlinks.
Thanks to tonghuaroot for the patch. Also, improve performance ofnormalize_nameusing dual replace. Thanks to Hugo van Kemenade for the patch. -
In
wheel, add checks that installed files don’t escape the installation directory, and add checks when mounting extensions to ensure path containment. Thanks to tonghuaroot for the patches.
A more detailed change log is available here.
Please try it out, and if you find any problems or have any suggestions for improvements, please give some feedback using the issue tracker!