[issue10905] zipfile: fix arcname with leading '///' or '..'
Serhiy Storchaka
report at bugs.python.org
Sun Oct 21 22:16:28 CEST 2012
Serhiy Storchaka added the comment:
Some comments to patch.
+ arcname = os.path.sep.join([x for x in arcname.split(os.path.sep)
+ if x != '..'])
File names in zip archive should use '/' as separator, not os.path.sep. '../spam' will be not cleaned by this code.
+ while arcname[0] in (os.sep, os.altsep):
+ arcname = arcname[1:]
It will not save from filenames containing drive letter: 'C:/Windows/python.exe'.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10905>
_______________________________________
More information about the Python-bugs-list
mailing list