New submission from Va <d.python.dc54@indigo.re>: In documentation of all Python 3 versions, [ZipFile.extractall](https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.extractall) states with a big red warning:
Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". This module attempts to prevent that. See extract() note.
However, when looking at the implementation, it calls _extract_member() which seems to sanitize filenames. So the warning might not be relevant anymore. Furthermore, when looking at [Python 2](https://docs.python.org/2/library/zipfile.html#zipfile.ZipFile.extractall) documentation, we can see the same warning, along with a change note:
Changed in version 2.7.4: The zipfile module attempts to prevent that. See extract() note.
So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version. ---------- assignee: docs@python components: Documentation messages: 369854 nosy: VA, docs@python priority: normal severity: normal status: open title: zipfile.extractall is safe by now type: behavior versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40763> _______________________________________