This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author amaajemyfren
Recipients VA, amaajemyfren, docs@python
Date 2020-05-25.17:46:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <CAKyeSh2mNUwBr6MQ+_PuCrXNKD6T-YH+eW9Q4TX56eu7QCpf8A@mail.gmail.com>
In-reply-to <1590391095.61.0.387813168658.issue40763@roundup.psfhosted.org>
Content
Hi,

On Mon, May 25, 2020 at 10:18 AM Va <report@bugs.python.org> wrote:

>
> So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version.
>

You may be on to something. It does appear to be what was discussed in
msg181646 on issue6972.
What I see is that from CPython 3.4
(https://docs.python.org/3.4/library/zipfile.html#zipfile.ZipFile.extractall)
while the security warning is still there they add the following line in it:

> This module attempts to prevent that. See extract() note.

The extract() note goes into some detail to explain what and how they
attempt to prevent it.

It is not obvious to me that zipfile._extract_member() together with
(for windows) zipfile._sanitize_windows_name() have handled everything
that could happen.
May I suggest that out of caution we leave it as it is?
History
Date User Action Args
2020-05-25 17:46:47amaajemyfrensetrecipients: + amaajemyfren, VA
2020-05-25 17:46:47amaajemyfrenlinkissue40763 messages
2020-05-25 17:46:47amaajemyfrencreate