Message369854
In documentation of all Python 3 versions, [ZipFile.extractall](https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.extractall) states with a big red warning:
> Warning
> Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". This module attempts to prevent that. See extract() note.
However, when looking at the implementation, it calls _extract_member() which seems to sanitize filenames. So the warning might not be relevant anymore.
Furthermore, when looking at [Python 2](https://docs.python.org/2/library/zipfile.html#zipfile.ZipFile.extractall) documentation, we can see the same warning, along with a change note:
> Changed in version 2.7.4: The zipfile module attempts to prevent that. See extract() note.
So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version. |
|
Date |
User |
Action |
Args |
2020-05-25 07:18:15 | VA | set | recipients:
+ VA, docs@python |
2020-05-25 07:18:15 | VA | set | messageid: <1590391095.61.0.387813168658.issue40763@roundup.psfhosted.org> |
2020-05-25 07:18:15 | VA | link | issue40763 messages |
2020-05-25 07:18:15 | VA | create | |
|