New submission from Va <d.python.d...@indigo.re>:
In documentation of all Python 3 versions, [ZipFile.extractall](https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.extractall) states with a big red warning: > Warning > Never extract archives from untrusted sources without prior inspection. It is > possible that files are created outside of path, e.g. members that have > absolute filenames starting with "/" or filenames with two dots "..". This > module attempts to prevent that. See extract() note. However, when looking at the implementation, it calls _extract_member() which seems to sanitize filenames. So the warning might not be relevant anymore. Furthermore, when looking at [Python 2](https://docs.python.org/2/library/zipfile.html#zipfile.ZipFile.extractall) documentation, we can see the same warning, along with a change note: > Changed in version 2.7.4: The zipfile module attempts to prevent that. See > extract() note. So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version. ---------- assignee: docs@python components: Documentation messages: 369854 nosy: VA, docs@python priority: normal severity: normal status: open title: zipfile.extractall is safe by now type: behavior versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue40763> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
