[issue40763] zipfile.extractall is safe by now
Ama Aje My Fren
report at bugs.python.org
Mon May 25 13:46:47 EDT 2020
Ama Aje My Fren <amaajemyfren at gmail.com> added the comment:
Hi,
On Mon, May 25, 2020 at 10:18 AM Va <report at bugs.python.org> wrote:
>
> So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version.
>
You may be on to something. It does appear to be what was discussed in
msg181646 on issue6972.
What I see is that from CPython 3.4
(https://docs.python.org/3.4/library/zipfile.html#zipfile.ZipFile.extractall)
while the security warning is still there they add the following line in it:
> This module attempts to prevent that. See extract() note.
The extract() note goes into some detail to explain what and how they
attempt to prevent it.
It is not obvious to me that zipfile._extract_member() together with
(for windows) zipfile._sanitize_windows_name() have handled everything
that could happen.
May I suggest that out of caution we leave it as it is?
----------
nosy: +amaajemyfren
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40763>
_______________________________________
More information about the Python-bugs-list
mailing list