Message 369971 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	VA
Recipients	VA, amaajemyfren, docs@python
Date	2020-05-26.11:47:41
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1590493661.5.0.153351512966.issue40763@roundup.psfhosted.org>
In-reply-to

Content
> It is not obvious to me that zipfile._extract_member() together with (for windows) zipfile._sanitize_windows_name() have handled everything that could happen. What hasn't been handled then? What is the safe way to use it? I think documenting "this function is unsafe" without suggesting a replacement or a safe way to use it isn't very constructive: as a developer, I want to extract a zip archive, but the only function supposed to do the job tells me "this is unsafe". Ok, so what am I supposed to do to be safe? That's what documentation should tell me, not let me puzzled with doubt. > May I suggest that out of caution we leave it as it is? I don't think the situation should stay like this. - either the documentation should be more precise on what are the problems that can occur, and how to handle those problems - or better, the function should be fixed and made fully safe, so all programs using it are safe (and the warning can be removed)

> It is not obvious to me that zipfile._extract_member() together with
(for windows) zipfile._sanitize_windows_name() have handled everything
that could happen.

What hasn't been handled then?
What is the safe way to use it?

I think documenting "this function is unsafe" without suggesting a replacement or a safe way to use it isn't very constructive: as a developer, I want to extract a zip archive, but the only function supposed to do the job tells me "this is unsafe". Ok, so what am I supposed to do to be safe?

That's what documentation should tell me, not let me puzzled with doubt.

> May I suggest that out of caution we leave it as it is?

I don't think the situation should stay like this.

- either the documentation should be more precise on what are the problems that can occur, and how to handle those problems
- or better, the function should be fixed and made fully safe, so all programs using it are safe (and the warning can be removed)

History
Date	User	Action	Args
2020-05-26 11:47:41	VA	set	recipients: + VA, docs@python, amaajemyfren
2020-05-26 11:47:41	VA	set	messageid: <1590493661.5.0.153351512966.issue40763@roundup.psfhosted.org>
2020-05-26 11:47:41	VA	link	issue40763 messages
2020-05-26 11:47:41	VA	create