diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-05-02 17:36:05 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-02 17:36:05 (GMT) |
| commit | d113674b3e20ee35ca8890650f7c0b3912f14fef (patch) | |
| tree | 587dc40afa8e0221b6302f11dcfde4100f944fff /Doc | |
| parent | 1a7867fc0c3913828157e23623381baa7625b626 (diff) | |
| download | cpython-d113674b3e20ee35ca8890650f7c0b3912f14fef.zip cpython-d113674b3e20ee35ca8890650f7c0b3912f14fef.tar.gz cpython-d113674b3e20ee35ca8890650f7c0b3912f14fef.tar.bz2 | |
gh-91783: Document security considerations for shutil.unpack_archive (GH-91844)
(cherry picked from commit 4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469)
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/shutil.rst | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 403df45..193c010 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -630,10 +630,16 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*. - .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]]) Registers an unpack format. *name* is the name of the format and |