On Thursday, March 9, 2017, Victor Stinner <victor.stinner@gmail.com> wrote:

Hi,

I'm sorry Wes, but I don't understand your long list of urls :-( Can
you elaborate?

I thought that's what I was doing?

I'm asking if there is a reason for allowing absolute paths by
default. Maybe backward compatibility?

I think secure by default would be good here.

2017-03-09 20:33 GMT+01:00 Wes Turner <wes.turner@gmail.com>:
> Docs: https://docs.python.org/3/library/tarfile.html

I didn't write a private email to security@ because as you pointed,
the issue is known and *documented* in Python since 10 years.

Doesn't mean it's not broken

> https://python-security.readthedocs.io/

I wrote this doc :-) I just added notes about tarfile and zipfile.

The [ ] wiki links could also be useful

Victor