On Thursday, March 9, 2017, Victor Stinner <victor.stin...@gmail.com> wrote:
> Hi, > > I'm sorry Wes, but I don't understand your long list of urls :-( Can > you elaborate? I thought that's what I was doing? > > I'm asking if there is a reason for allowing absolute paths by > default. Maybe backward compatibility? I think secure by default would be good here. > > > 2017-03-09 20:33 GMT+01:00 Wes Turner <wes.tur...@gmail.com <javascript:;> > >: > > Docs: https://docs.python.org/3/library/tarfile.html > > I didn't write a private email to security@ because as you pointed, > the issue is known and *documented* in Python since 10 years. Doesn't mean it's not broken > > > > https://python-security.readthedocs.io/ > > I wrote this doc :-) I just added notes about tarfile and zipfile. The [ ] wiki links could also be useful > > Victor >
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
