From 4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469 Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Mon, 2 May 2022 18:15:04 +0100 Subject: gh-91783: Document security considerations for shutil.unpack_archive (#91844) --- Doc/library/shutil.rst | 8 +++++++- .../Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index cb72ff6..9a25b0d 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -636,10 +636,16 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*. - .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]]) Registers an unpack format. *name* is the name of the format and diff --git a/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst new file mode 100644 index 0000000..4d6be37 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst @@ -0,0 +1,2 @@ +Document security issues concerning the use of the function +:meth:`shutil.unpack_archive` -- cgit v0.12