Author catalin.iacob
Recipients Arfrever, amaury.forgeotdarc, catalin.iacob, georg.brandl, gregory.p.smith, loewis, ned.deily, python-dev, r.david.murray, schmir, serhiy.storchaka, twb
Date 2013-02-07.21:37:21
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1360273042.06.0.0200716978677.issue6972@psf.upfronthosting.co.za>
In-reply-to
Content
There are 2 issues with the documentation changes introduced by these patches.

1. for 2.7, the note added by the doc patch is in the wrong place, at the setpassword method instead of the extract or extractall method

2. for 3.x the "Never extract archives from untrusted sources..." warning got removed but it's still useful for users that read the documentation online and therefore get the updated docs but haven't updated Python to the latest patch release and therefore don't have the fix. For example, anybody reading the docs for 3.2 or 3.3 today doesn't see that extractall is dangerous and there is no released Python containing the fix so by all practical means extractall is still dangerous today.

To address point 2, I think the warning should be kept with an extra mention regarding exact version where it got fixed so that, when reading the documentation, everybody can assess exactly whether extractall is safe for them to use or not.

I can't reopen the bug since I don't have tracker privileges but since it's a security issue I think it's important for these to get addressed.
History
Date User Action Args
2013-02-07 21:37:22catalin.iacobsetrecipients: + catalin.iacob, loewis, georg.brandl, gregory.p.smith, amaury.forgeotdarc, schmir, ned.deily, Arfrever, r.david.murray, twb, python-dev, serhiy.storchaka
2013-02-07 21:37:22catalin.iacobsetmessageid: <1360273042.06.0.0200716978677.issue6972@psf.upfronthosting.co.za>
2013-02-07 21:37:22catalin.iacoblinkissue6972 messages
2013-02-07 21:37:21catalin.iacobcreate