classification
Title: shutil.unpack_archive(): security concerns not documented
Type: behavior Stage: needs patch
Components: Documentation Versions: Python 3.11, Python 3.10, Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: docs@python, jwilk, ned.deily
Priority: normal Keywords: easy, newcomer friendly

Created on 2014-02-23 21:13 by jwilk, last changed 2021-05-21 23:22 by ned.deily.

Messages (3)
msg212029 - (view) Author: Jakub Wilk (jwilk) Date: 2014-02-23 21:13
shutil.unpack_archive() uses tarfile.extractall() under the hood, so it's not suitable for unpacking untrusted archives. But this fact is not documented.

Please add a security warning to shutil.unpack_archive() documentation.
msg242454 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2015-05-03 06:50
If there is an agreed standard for security warnings I'll prepare a patch for this.
msg394170 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-05-21 23:22
The warning from Tarfile.extractall (Doc/library/tarfile.rst -> https://docs.python.org/dev/library/tarfile.html#tarfile-objects) can be adapted for use here (Doc/library/shutil.rst -> https://docs.python.org/dev/library/shutil.html#archiving-operations).
History
Date User Action Args
2021-05-21 23:22:48ned.deilysetversions: + Python 3.9, Python 3.10, Python 3.11, - Python 2.7, Python 3.4, Python 3.5
nosy: + ned.deily

messages: + msg394170

keywords: + easy, newcomer friendly
2019-03-15 22:06:56BreamoreBoysetnosy: - BreamoreBoy
2015-05-03 06:50:15BreamoreBoysetnosy: + BreamoreBoy

messages: + msg242454
versions: + Python 3.5, - Python 3.3
2014-02-24 20:09:19pitrousetstage: needs patch
type: behavior
versions: + Python 2.7, Python 3.3, Python 3.4
2014-02-23 21:13:37jwilkcreate