This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients Arfrever, alanmcintyre, benjamin.peterson, dw, eric.araujo, kasal, larry, loewis, mcepl, ocean-city, pitrou, r.david.murray, serhiy.storchaka
Date 2014-11-21.14:27:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1416580061.44.0.360478667808.issue14099@psf.upfronthosting.co.za>
In-reply-to
Content
I hesitate about applying the patch to maintained releases. On one hand, besides interface (even non-documented details) left the same, the patch changes interiors too much for ordinal bug. I don't see how it can break something, but this doesn't guarantee that changes don't have unexpected effect.

On other hand, this bug can be considered as security-related issue. Malicious local attacker could replace ZIP file between its open and read from it or between two reads, if he has write access to the directory containing ZIP file or there are symplinks under his control in ZIP file path. The danger of this may exceed hypothetical negative consequences of the applying of the patch.

I appeal the matter to release managers. Should we apply this patch (the risk is pretty small) to 2.7 and 3.4?
History
Date User Action Args
2014-11-21 14:27:41serhiy.storchakasetrecipients: + serhiy.storchaka, loewis, alanmcintyre, pitrou, ocean-city, larry, benjamin.peterson, mcepl, eric.araujo, Arfrever, r.david.murray, kasal, dw
2014-11-21 14:27:41serhiy.storchakasetmessageid: <1416580061.44.0.360478667808.issue14099@psf.upfronthosting.co.za>
2014-11-21 14:27:41serhiy.storchakalinkissue14099 messages
2014-11-21 14:27:40serhiy.storchakacreate