[issue20749] shutil.unpack_archive(): security concerns not documented
New submission from Jakub Wilk: shutil.unpack_archive() uses tarfile.extractall() under the hood, so it's not suitable for unpacking untrusted archives. But this fact is not documented. Please add a security warning to shutil.unpack_archive() documentation. ---------- assignee: docs@python components: Documentation messages: 212029 nosy: docs@python, jwilk priority: normal severity: normal status: open title: shutil.unpack_archive(): security concerns not documented _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue20749> _______________________________________
Changes by Antoine Pitrou <pitrou@free.fr>: ---------- stage: -> needs patch type: -> behavior versions: +Python 2.7, Python 3.3, Python 3.4 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue20749> _______________________________________
Mark Lawrence added the comment: If there is an agreed standard for security warnings I'll prepare a patch for this. ---------- nosy: +BreamoreBoy versions: +Python 3.5 -Python 3.3 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue20749> _______________________________________
Change by Mark Lawrence <breamoreboy@gmail.com>: ---------- nosy: -BreamoreBoy _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue20749> _______________________________________
participants (3)
-
Antoine Pitrou -
Jakub Wilk
-
Mark Lawrence