Message 181646 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	catalin.iacob
Recipients	Arfrever, amaury.forgeotdarc, catalin.iacob, georg.brandl, gregory.p.smith, loewis, ned.deily, python-dev, r.david.murray, schmir, serhiy.storchaka, twb
Date	2013-02-07.21:37:21
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1360273042.06.0.0200716978677.issue6972@psf.upfronthosting.co.za>
In-reply-to

Content
There are 2 issues with the documentation changes introduced by these patches. 1. for 2.7, the note added by the doc patch is in the wrong place, at the setpassword method instead of the extract or extractall method 2. for 3.x the "Never extract archives from untrusted sources..." warning got removed but it's still useful for users that read the documentation online and therefore get the updated docs but haven't updated Python to the latest patch release and therefore don't have the fix. For example, anybody reading the docs for 3.2 or 3.3 today doesn't see that extractall is dangerous and there is no released Python containing the fix so by all practical means extractall is still dangerous today. To address point 2, I think the warning should be kept with an extra mention regarding exact version where it got fixed so that, when reading the documentation, everybody can assess exactly whether extractall is safe for them to use or not. I can't reopen the bug since I don't have tracker privileges but since it's a security issue I think it's important for these to get addressed.

There are 2 issues with the documentation changes introduced by these patches.

1. for 2.7, the note added by the doc patch is in the wrong place, at the setpassword method instead of the extract or extractall method

2. for 3.x the "Never extract archives from untrusted sources..." warning got removed but it's still useful for users that read the documentation online and therefore get the updated docs but haven't updated Python to the latest patch release and therefore don't have the fix. For example, anybody reading the docs for 3.2 or 3.3 today doesn't see that extractall is dangerous and there is no released Python containing the fix so by all practical means extractall is still dangerous today.

To address point 2, I think the warning should be kept with an extra mention regarding exact version where it got fixed so that, when reading the documentation, everybody can assess exactly whether extractall is safe for them to use or not.

I can't reopen the bug since I don't have tracker privileges but since it's a security issue I think it's important for these to get addressed.

History
Date	User	Action	Args
2013-02-07 21:37:22	catalin.iacob	set	recipients: + catalin.iacob, loewis, georg.brandl, gregory.p.smith, amaury.forgeotdarc, schmir, ned.deily, Arfrever, r.david.murray, twb, python-dev, serhiy.storchaka
2013-02-07 21:37:22	catalin.iacob	set	messageid: <1360273042.06.0.0200716978677.issue6972@psf.upfronthosting.co.za>
2013-02-07 21:37:22	catalin.iacob	link	issue6972 messages
2013-02-07 21:37:21	catalin.iacob	create