Skip to content

gh-91783: Document security considerations for shutil.unpack_archive #91844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 2, 2022
Merged

gh-91783: Document security considerations for shutil.unpack_archive #91844

merged 3 commits into from
May 2, 2022

Conversation

dignissimus
Copy link
Contributor

@dignissimus dignissimus commented Apr 22, 2022
edited
Loading

Adds a warning to the documentation for shutil.unpack_archive noting that it is unsafe to unpack archives from untrusted sources. This is done in line with the documentation from Zipfile.extractall and TarFile.extractall.

Resolves #91783

@bedevere-bot bedevere-bot added docs Documentation in the Doc dir awaiting review labels Apr 22, 2022
slimshady621
slimshady621 reviewed May 2, 2022
View reviewed changes
@JelleZijlstra JelleZijlstra added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes labels May 2, 2022
@JelleZijlstra JelleZijlstra merged commit 4b297a9 into python:main May 2, 2022
@miss-islington
Copy link
Contributor

Thanks @dignissimus for the PR, and @JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 2, 2022
@dignissimus @miss-islington
pythongh-91783: Document security considerations for shutil.unpack_ar…
966fdc6 
…chive (pythonGH-91844)

(cherry picked from commit 4b297a9)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot
Copy link

GH-92165 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed needs backport to 3.10 only security fixes needs backport to 3.9 only security fixes labels May 2, 2022
@bedevere-bot
Copy link

GH-92166 is a backport of this pull request to the 3.9 branch.

miss-islington added a commit that referenced this pull request May 2, 2022
@miss-islington @dignissimus
gh-91783: Document security considerations for shutil.unpack_archive (G…
bab4d0b 
…H-91844)

(cherry picked from commit 4b297a9)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
miss-islington added a commit that referenced this pull request May 2, 2022
@miss-islington @dignissimus
gh-91783: Document security considerations for shutil.unpack_archive (G…
d113674 
…H-91844)

(cherry picked from commit 4b297a9)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
hello-adam pushed a commit to hello-adam/cpython that referenced this pull request Jun 2, 2022
@miss-islington @dignissimus @hello-adam
pythongh-91783: Document security considerations for shutil.unpack_ar…
29bbe32 
…chive (pythonGH-91844)

(cherry picked from commit 4b297a9)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@jwilk jwilk mentioned this pull request Jul 18, 2022
Closed
@iritkatriel iritkatriel mentioned this pull request Nov 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slimshady621 slimshady621 slimshady621 left review comments

@JelleZijlstra JelleZijlstra JelleZijlstra approved these changes

Assignees
No one assigned
Labels
docs Documentation in the Doc dir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security] shutil unpack_archive docs should clarify the security implications
5 participants
@dignissimus @miss-islington @bedevere-bot @JelleZijlstra @slimshady621