diff options
author | Sam Ezeh <sam.z.ezeh@gmail.com> | 2022-05-02 17:15:04 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-02 17:15:04 (GMT) |
commit | 4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469 (patch) | |
tree | a5c0f29e798add803902452b551959fb8b88632e /Doc | |
parent | feb45d0ae98f3030b2b07089bc0eb066b69f5625 (diff) | |
download | cpython-4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469.zip cpython-4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469.tar.gz cpython-4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469.tar.bz2 |
gh-91783: Document security considerations for shutil.unpack_archive (#91844)
Diffstat (limited to 'Doc')
-rw-r--r-- | Doc/library/shutil.rst | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index cb72ff6..9a25b0d 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -636,10 +636,16 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*. - .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]]) Registers an unpack format. *name* is the name of the format and |