[issue6972] zipfile.ZipFile overwrites files outside destination path
Ralf Schmitt
report at bugs.python.org
Tue Sep 29 11:46:03 CEST 2009
Ralf Schmitt <schmir at gmail.com> added the comment:
I think this should clearly be fixed in the code. The current code tries
to handle absolute paths by removing the first slash (unfortunately not
the second), so it looks like it tries to be safe and only write to the
destination directory. That should be the default operation.
I even think that there should be *no* option to allow overriding files
outside the destination path (on unix one can always use / as
destination if he feels like overwriting his /etc/passwd)
The documentation should also mention that it's unsafe to use this
method in python <2.6.2.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue6972>
_______________________________________
More information about the Python-bugs-list
mailing list