This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author VA
Recipients VA, docs@python
Date 2020-05-25.07:18:15
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1590391095.61.0.387813168658.issue40763@roundup.psfhosted.org>
In-reply-to
Content 
In documentation of all Python 3 versions, [ZipFile.extractall](https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.extractall) states with a big red warning:

> Warning
> Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". This module attempts to prevent that. See extract() note.

However, when looking at the implementation, it calls _extract_member() which seems to sanitize filenames. So the warning might not be relevant anymore.

Furthermore, when looking at [Python 2](https://docs.python.org/2/library/zipfile.html#zipfile.ZipFile.extractall) documentation, we can see the same warning, along with a change note:

> Changed in version 2.7.4: The zipfile module attempts to prevent that. See extract() note.

So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version.
History
Date User Action Args
2020-05-25 07:18:15VAsetrecipients: + VA, docs@python
2020-05-25 07:18:15VAsetmessageid: <1590391095.61.0.387813168658.issue40763@roundup.psfhosted.org>
2020-05-25 07:18:15VAlinkissue40763 messages
2020-05-25 07:18:15VAcreate