Merging internal commits for release/8.0#128093
Merged
hoyosjs merged 12 commits intoMay 13, 2026
Merged
Conversation
…edAttributes size in TarHeader Adds check for the "size" attribute in the ExdendedAttributes section of a tar file to prevent infinite loop with negative size. Follows the same throw logic for TarHeader's size. The negative sized tar file cannot be reproduced using .NET, hence the lack of tests.
Fix Windows tar vulnerability that allows creating a symlink to a file (and only a file, not a directory) to anywhere on the same drive where the tar is extracted. ---- #### AI description (iteration 1) #### PR Classification Bug fix to correct Windows tar symlink validation when extracting archives with rooted paths outside the destination directory. #### PR Summary Fixes a security issue in tar extraction on Windows where symlinks with rooted paths (like `\Temp\file.txt`) were incorrectly validated, allowing extraction outside the intended destination directory. The fix replaces `Path.IsPathFullyQualified()` with `Path.IsPathRooted()` and ensures proper path resolution. - `TarEntry.cs`: Changed symlink validation logic from `Path.IsPathFullyQualified()` to `Path.IsPathRooted()` with `Path.GetFullPath()` for both file destination paths and link targets to properly detect and reject rooted paths pointing outside the destination - `TarFile.ExtractToDirectory.File.Tests.Windows.cs`: Added test `ExtractToDirectory_RejectsSymlinkWithRootedTargetOutsideDestination()` to verify that symlinks with rooted targets outside the destination directory throw `IOException` and are not created <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…hannelVersion 2.4.18 Updated Versions.props - MicrosoftNativeQuicMsQuicSchannelVersion 2.4.18 ---- #### AI description (iteration 1) #### PR Classification Dependency version update to upgrade the MsQuic Schannel package from version 2.4.17 to 2.4.18. #### PR Summary This pull request updates the MsQuic Schannel dependency version in the project's version management file. - `eng/Versions.props`: Updated `MicrosoftNativeQuicMsQuicSchannelVersion` from 2.4.17 to 2.4.18 <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…-merge-8.0-2026-05-12-1251
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges internal release/8.0 changes that harden System.Formats.Tar extraction behavior (notably around symlink targets on Windows and invalid header metadata), and updates a native dependency version for the release branch.
Changes:
- Reject Windows symbolic link targets that are rooted but not fully qualified during extraction, and add a Windows-specific regression test.
- Validate and reject negative
sizevalues coming from PAX extended attributes when reading headers. - Bump
MicrosoftNativeQuicMsQuicSchannelVersionfrom2.4.17to2.4.18.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/libraries/System.Formats.Tar/tests/TarFile/TarFile.ExtractToDirectory.File.Tests.Windows.cs | Adds a Windows test covering extraction rejection of rooted (non-fully-qualified) symlink targets. |
| src/libraries/System.Formats.Tar/src/System/Formats/Tar/TarHeader.Read.cs | Throws on negative PAX size to prevent invalid data stream sizing. |
| src/libraries/System.Formats.Tar/src/System/Formats/Tar/TarEntry.cs | Adds Windows-specific validation to reject ambiguous rooted symlink targets during extraction; includes minor formatting adjustment. |
| eng/Versions.props | Updates MsQuic Schannel package version used by the build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 13, 2026
hoyosjs
approved these changes
May 13, 2026
hoyosjs
added
Servicing-approved
Contributor
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.