From 22b0d32d92b0170ace9cfa7f5146693440fcb1d7 Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Sat, 23 Apr 2022 00:16:13 +0100 Subject: [PATCH 1/3] Document security considerations for shutil.unpack_archive --- Doc/library/shutil.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 75ffb79d535c81..2c44590851df60 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -635,10 +635,15 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of path, e.g. members that have + absolute filenames starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*. - .. function:: register_unpack_format(name, extensions, function[, extra_args[, description]]) Registers an unpack format. *name* is the name of the format and From d528bd631a6519f88d0714431bcd76654d4ac022 Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Sat, 23 Apr 2022 00:23:01 +0100 Subject: [PATCH 2/3] Add news entry --- .../Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst diff --git a/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst new file mode 100644 index 00000000000000..4d6be37402079c --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2022-04-23-00-22-54.gh-issue-91783.N09dRR.rst @@ -0,0 +1,2 @@ +Document security issues concerning the use of the function +:meth:`shutil.unpack_archive` From 1aaec818050e92095ce9933ff5e0bee296b3faec Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Mon, 2 May 2022 09:06:28 +0100 Subject: [PATCH 3/3] Reference the extract_dir argument --- Doc/library/shutil.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 2c44590851df60..db951c7cb44f73 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -638,8 +638,9 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. warning:: Never extract archives from untrusted sources without prior inspection. - It is possible that files are created outside of path, e.g. members that have - absolute filenames starting with "/" or filenames with two dots "..". + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*.