bindings: python: specify a tar extract filter

Starting in Python 3.12, extracting files from tarballs without a filter
specified generates a DeprecationWarning [0].

For Python >= 3.12, specify the `fully_trusted_filter` filter which
replicates the behavior from previous versions.

This filter also makes sense as we should be able to trust the tarball
the maintainers generate after the hash has been verified.

[0]: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter

Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
Link: https://lore.kernel.org/r/20241107205001.574426-1-vfazio@xes-inc.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

diff --git a/bindings/python/setup.py b/bindings/python/setup.py
index 1f04b9939b47dc7b960679b6f24e87a6f2a4e46f..7ab783fc3e4183fb8dc20c95ffbaa1b10ac6b7d5 100644 (file)
--- a/bindings/python/setup.py
+++ b/bindings/python/setup.py
@@ -70,6 +70,7 @@ def fetch_tarball(command):
     def wrapper(self):
         # Just-in-time import of tarfile and urllib.request so these are
         # not required for Yocto to build a vendored or linked package
+        import sys
         import tarfile
         from tempfile import TemporaryDirectory
         from urllib.request import urlretrieve
@@ -122,7 +123,10 @@ def fetch_tarball(command):
             # Unpack the downloaded tarball
             log.info(f"unpacking: {tarball_filename}")
             with tarfile.open(downloaded_tarball) as f:
-                f.extractall(temp_dir)
+                if sys.version_info < (3, 12):
+                    f.extractall(temp_dir)
+                else:
+                    f.extractall(temp_dir, filter=tarfile.fully_trusted_filter)
 
             # Copy the include and lib directories we need to build libgpiod
             base_dir = path.join(temp_dir, f"libgpiod-{LIBGPIOD_VERSION}")