[Python-checkins] gh-91783: Document security considerations for shutil.unpack_archive (GH-91844)

miss-islington webhook-mailer at python.org
Mon May 2 13:36:09 EDT 2022 

https://github.com/python/cpython/commit/d113674b3e20ee35ca8890650f7c0b3912f14fef
commit: d113674b3e20ee35ca8890650f7c0b3912f14fef
branch: 3.9
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2022-05-02T10:36:05-07:00
summary:

gh-91783: Document security considerations for shutil.unpack_archive (GH-91844)

(cherry picked from commit 4b297a9ffd4a1d420c1a8016f4ed2c7f1d298469)

Co-authored-by: Sam Ezeh <sam.z.ezeh at gmail.com>

files:
A Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst
M Doc/library/shutil.rst

diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst
index 403df45b3966a..193c01006171e 100644
--- a/Doc/library/shutil.rst
+++ b/Doc/library/shutil.rst
@@ -630,10 +630,16 @@ provided.  They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
 
    .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive
 
+   .. warning::
+
+      Never extract archives from untrusted sources without prior inspection.
+      It is possible that files are created outside of the path specified in
+      the *extract_dir* argument, e.g. members that have absolute filenames
+      starting with "/" or filenames with two dots "..".
+
    .. versionchanged:: 3.7
       Accepts a :term:`path-like object` for *filename* and *extract_dir*.
 
-
 .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]])
 
    Registers an unpack format. *name* is the name of the format and
diff --git a/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst
new file mode 100644
index 0000000000000..4d6be37402079
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst
@@ -0,0 +1,2 @@
+Document security issues concerning the use of the function
+:meth:`shutil.unpack_archive`

More information about the Python-checkins mailing list