This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Improve zipfile: add support for symlinks
Type: enhancement Stage: patch review
Components: Library (Lib) Versions: Python 3.9
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Henning.von.Bargen, serhiy.storchaka, zaphodef
Priority: normal Keywords: patch

Created on 2019-08-22 21:14 by zaphodef, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 15401 open zaphodef, 2019-08-22 21:16
Messages (4)
msg350231 - (view) Author: Pierre-Jean Grenier (zaphodef) * Date: 2019-08-22 21:14
The module tarfile contains some methods for knowing whether an archive member is a regular file/a directory/a symlink. Apart from an "is_dir()" method, there was nothing alike in the zipfile module. For an on-going project, I needed to know whether an archive member was a symlink or not, to prevent zip symlinks attacks.

I thought this could be of used for other people, given I struggled a little to find a way of saying if an archive member is a symlink or not.

This is why I think adding support for symlinks in the zipfile module could be a good idea.
msg352932 - (view) Author: Pierre-Jean Grenier (zaphodef) * Date: 2019-09-21 08:14
The PR went through review and has been awaiting core review for almost a month, anyone to have a look at it? :)
msg362217 - (view) Author: Henning von Bargen (Henning.von.Bargen) Date: 2020-02-18 14:59
If I understand correctly, 
this bug is about supporting symlinks on *creating* ZIP files.

Please see also for a proposal to support symlinks while *unpacking* ZIP files.

Maybe a preserve_symlinks optional argument should be added to the `extract` and `extractall` method as well (the same argument name is used in `distutils.dir_util.copy_tree`).

Anyway, I think symlink support should be added for packing *and* unpacking or not at all.
msg402638 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2021-09-25 17:47
Adding support of symlinks in ZIP files will make the zipfile module vulnerable to symlink attacks like like with TAR files (see Until we find a solution to this, adding support of symlinks is dangerous.
Date User Action Args
2022-04-11 14:59:19adminsetgithub: 82102
2021-09-25 17:48:49serhiy.storchakalinkissue45286 superseder
2021-09-25 17:47:38serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg402638
2020-02-18 14:59:35Henning.von.Bargensetnosy: + Henning.von.Bargen
messages: + msg362217
2019-09-21 08:14:11zaphodefsetmessages: + msg352932
2019-08-22 21:16:39zaphodefsetkeywords: + patch
stage: patch review
pull_requests: + pull_request15108
2019-08-22 21:14:36zaphodefcreate