From f755ecdb24542aa52965947c31915c534d785b65 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 16 May 2023 14:41:38 +0200 Subject: [PATCH] Backport warning to shutil.unpack_archive docs --- Doc/library/shutil.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 0325a6e2af8e8b..c424c823ef62a6 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -665,6 +665,13 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive + .. warning:: + + Never extract archives from untrusted sources without prior inspection. + It is possible that files are created outside of the path specified in + the *extract_dir* argument, e.g. members that have absolute filenames + starting with "/" or filenames with two dots "..". + .. versionchanged:: 3.7 Accepts a :term:`path-like object` for *filename* and *extract_dir*.