Issue 20749: shutil.unpack_archive(): security concerns not documented

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/64948

classification

Title:	shutil.unpack_archive(): security concerns not documented
Type:	behavior	Stage:	patch review
Components:	Documentation	Versions:	Python 3.11, Python 3.10, Python 3.9

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:	docs@python	Nosy List:	docs@python, jwilk, ned.deily, swenson
Priority:	normal	Keywords:	easy, newcomer friendly, patch

Created on 2014-02-23 21:13 by jwilk, last changed 2022-04-11 14:57 by admin.

Pull Requests
URL	Status	Linked	Edit
PR 29184	open	swenson, 2021-10-23 02:13

Messages (3)
msg212029 - (view)	Author: Jakub Wilk (jwilk)	Date: 2014-02-23 21:13
shutil.unpack_archive() uses tarfile.extractall() under the hood, so it's not suitable for unpacking untrusted archives. But this fact is not documented. Please add a security warning to shutil.unpack_archive() documentation.
msg242454 - (view)	Author: Mark Lawrence (BreamoreBoy) *	Date: 2015-05-03 06:50
If there is an agreed standard for security warnings I'll prepare a patch for this.
msg394170 - (view)	Author: Ned Deily (ned.deily) *	Date: 2021-05-21 23:22
The warning from Tarfile.extractall (Doc/library/tarfile.rst -> https://docs.python.org/dev/library/tarfile.html#tarfile-objects) can be adapted for use here (Doc/library/shutil.rst -> https://docs.python.org/dev/library/shutil.html#archiving-operations).

History
Date	User	Action	Args
2022-04-11 14:57:59	admin	set	github: 64948
2021-10-23 02:13:01	swenson	set	keywords: + patch nosy: + swenson pull_requests: + pull_request27458 stage: needs patch -> patch review
2021-05-21 23:22:48	ned.deily	set	versions: + Python 3.9, Python 3.10, Python 3.11, - Python 2.7, Python 3.4, Python 3.5 nosy: + ned.deily messages: + msg394170 keywords: + easy, newcomer friendly
2019-03-15 22:06:56	BreamoreBoy	set	nosy: - BreamoreBoy
2015-05-03 06:50:15	BreamoreBoy	set	nosy: + BreamoreBoy messages: + msg242454 versions: + Python 3.5, - Python 3.3
2014-02-24 20:09:19	pitrou	set	stage: needs patch type: behavior versions: + Python 2.7, Python 3.3, Python 3.4
2014-02-23 21:13:37	jwilk	create