diff options
| -rw-r--r-- | Doc/library/shutil.rst | 8 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst | 2 |
2 files changed, 9 insertions, 1 deletions
diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index cb72ff6..9a25b0d 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -636,10 +636,16 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*. - .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]]) Registers an unpack format. *name* is the name of the format and diff --git a/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst new file mode 100644 index 0000000..4d6be37 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst @@ -0,0 +1,2 @@ +Document security issues concerning the use of the function +:meth:`shutil.unpack_archive` |