Title: shutil.unpack_archive(): security concerns not documented
Type: behavior Stage: needs patch
Components: Documentation Versions: Python 3.4, Python 3.5, Python 2.7
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: docs@python, jwilk
Priority: normal Keywords:

Created on 2014-02-23 21:13 by jwilk, last changed 2019-03-15 22:06 by BreamoreBoy.

Messages (2)
msg212029 - (view) Author: Jakub Wilk (jwilk) Date: 2014-02-23 21:13
shutil.unpack_archive() uses tarfile.extractall() under the hood, so it's not suitable for unpacking untrusted archives. But this fact is not documented.

Please add a security warning to shutil.unpack_archive() documentation.
msg242454 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2015-05-03 06:50
If there is an agreed standard for security warnings I'll prepare a patch for this.
Date User Action Args
2019-03-15 22:06:56BreamoreBoysetnosy: - BreamoreBoy
2015-05-03 06:50:15BreamoreBoysetnosy: + BreamoreBoy

messages: + msg242454
versions: + Python 3.5, - Python 3.3
2014-02-24 20:09:19pitrousetstage: needs patch
type: behavior
versions: + Python 2.7, Python 3.3, Python 3.4
2014-02-23 21:13:37jwilkcreate