[issue40763] zipfile.extractall is safe by now
New submission from Va
Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". This module attempts to prevent that. See extract() note.
However, when looking at the implementation, it calls _extract_member() which seems to sanitize filenames. So the warning might not be relevant anymore. Furthermore, when looking at [Python 2](https://docs.python.org/2/library/zipfile.html#zipfile.ZipFile.extractall) documentation, we can see the same warning, along with a change note:
Changed in version 2.7.4: The zipfile module attempts to prevent that. See extract() note.
So, the big red warning in Python 3 documentation might be relevant only for Python < 2.7.4, not for any Python 3 version.
----------
assignee: docs@python
components: Documentation
messages: 369854
nosy: VA, docs@python
priority: normal
severity: normal
status: open
title: zipfile.extractall is safe by now
type: behavior
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker
participants (4)
-
Ama Aje My Fren
-
Ama Aje My Fren
-
Gregory P. Smith
-
Va