Skip to content

fix: use HTTPS and safe tar extraction for dataset downloads#2723

Open
Chessing234 wants to merge 1 commit into
d2l-ai:masterfrom
Chessing234:fix/2714-safe-tar-extract-and-https
Open

fix: use HTTPS and safe tar extraction for dataset downloads#2723
Chessing234 wants to merge 1 commit into
d2l-ai:masterfrom
Chessing234:fix/2714-safe-tar-extract-and-https

Conversation

@Chessing234

Copy link
Copy Markdown

Fixes #2714

Summary

  • Switch DATA_URL from HTTP to HTTPS across all framework utility modules
  • Add _safe_tar_extract() to reject path-traversal tar members (uses Python 3.12+ data filter when available)
  • Use context managers when opening zip/tar archives in extract() and download_extract()

Test plan

  • Verified tar extraction rejects ../ member paths
  • HTTPS URL applied consistently in d2l/torch.py, mxnet.py, tensorflow.py, and jax.py

Made with Cursor

Switch DATA_URL to HTTPS and reject path-traversal tar members when
extracting datasets, preventing tar-slip arbitrary file writes from
MITM-compromised downloads.

Fixes d2l-ai#2714.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Tar-Slip Arbitrary File Write via HTTP Download in d2l

1 participant