https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb commit: 8e13025747e1ca72e86d1f35637123f9c306f0cb branch: 3.14 author: Miss Islington (bot) <[email protected]> committer: serhiy-storchaka <[email protected]> date: 2026-05-19T08:43:57Z summary:
[3.14] gh-146581: Update docs for dangerous filenames in ZIP files (GH-149994) (GH-150065) (cherry picked from commit ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19) Co-authored-by: Serhiy Storchaka <[email protected]> Co-authored-by: Sebastian Gassner <[email protected]> files: M Doc/library/shutil.rst M Doc/library/zipfile.rst diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 8564a5b72d9794..e65b96f2e8f07e 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -745,8 +745,8 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of the path specified in - the *extract_dir* argument, e.g. members that have absolute filenames - starting with "/" or filenames with two dots "..". + the *extract_dir* argument, for example, members that have absolute filenames + or filenames with ".." components. Since Python 3.14, the defaults for both built-in formats (zip and tar files) will prevent the most dangerous of such security issues, diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index b1a2c820bea11f..36043c355818b1 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -414,9 +414,9 @@ ZipFile objects .. warning:: Never extract archives from untrusted sources without prior inspection. - It is possible that files are created outside of *path*, e.g. members - that have absolute filenames starting with ``"/"`` or filenames with two - dots ``".."``. This module attempts to prevent that. + It is possible that files are created outside of *path*, for example, members + that have absolute filenames or filenames with ".." components. + This module attempts to prevent that. See :meth:`extract` note. .. versionchanged:: 3.6 @@ -593,7 +593,7 @@ Path objects The :class:`Path` class does not sanitize filenames within the ZIP archive. Unlike the :meth:`ZipFile.extract` and :meth:`ZipFile.extractall` methods, it is the caller's responsibility to validate or sanitize filenames to prevent path traversal - vulnerabilities (e.g., filenames containing ".." or absolute paths). When handling + vulnerabilities (for example, absolute paths or paths with ".." components). When handling untrusted archives, consider resolving filenames using :func:`os.path.abspath` and checking against the target directory with :func:`os.path.commonpath`. _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
