Issue 20749: shutil.unpack_archive(): security concerns not documented - Python tracker

classification

Title:	shutil.unpack_archive(): security concerns not documented
Type:	behavior	Stage:	needs patch
Components:	Documentation	Versions:	Python 3.4, Python 3.5, Python 2.7

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:	docs@python	Nosy List:	docs@python, jwilk
Priority:	normal	Keywords:

Created on 2014-02-23 21:13 by jwilk, last changed 2019-03-15 22:06 by BreamoreBoy.

Messages (2)
msg212029 - (view)	Author: Jakub Wilk (jwilk)	Date: 2014-02-23 21:13
shutil.unpack_archive() uses tarfile.extractall() under the hood, so it's not suitable for unpacking untrusted archives. But this fact is not documented. Please add a security warning to shutil.unpack_archive() documentation.
msg242454 - (view)	Author: Mark Lawrence (BreamoreBoy) *	Date: 2015-05-03 06:50
If there is an agreed standard for security warnings I'll prepare a patch for this.

History
Date	User	Action	Args
2019-03-15 22:06:56	BreamoreBoy	set	nosy: - BreamoreBoy
2015-05-03 06:50:15	BreamoreBoy	set	nosy: + BreamoreBoy messages: + msg242454 versions: + Python 3.5, - Python 3.3
2014-02-24 20:09:19	pitrou	set	stage: needs patch type: behavior versions: + Python 2.7, Python 3.3, Python 3.4
2014-02-23 21:13:37	jwilk	create