[New-bugs-announce] [issue10905] zipfile: fix arcname with leading '///' or '..'

Zhigang Wang report at bugs.python.org
Fri Jan 14 13:03:48 CET 2011

New submission from Zhigang Wang <w1z2g3 at gmail.com>:

We only support arcname with one leading '/', but not more. This patch fixes it.

We don't support arcname with '..' well. The default behavior of unzip and 7z is to ignore all '..'. This patch does the same.

Also updated the doc. If there are other security related issues exist, we should revise the doc.

Please review.

components: Library (Lib)
files: python-zipfile-fix-arcname.patch
keywords: patch
messages: 126254
nosy: zhigang
priority: normal
severity: normal
status: open
title: zipfile: fix arcname with leading '///' or '..'
type: security
versions: Python 3.3
Added file: http://bugs.python.org/file20404/python-zipfile-fix-arcname.patch

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list