gh-146581: Use ZipFile.extractall() in shutil for secure ZIP extraction by Shrey-N · Pull Request #146588 · python/cpython

Shrey-N

This PR refactors shutil._unpack_zipfile to use zipfile.ZipFile.extractall() instead of a manual extraction loop. This resolves a directory traversal vulnerability on Windows where archives containing drive prefixed paths for exampleD:/file.txt could write files outside the intended destination directory.

Changes Made

Replaced manual path joining and validation with ZipFile.extractall(), which leverages the zipfile module
Updated the _unpack_zipfile signature to accept **kwargs. This ensures compatibility with the filter argument, preventing TypeError while allowing future filter support for ZIP files.
This change brings ZIP extraction in line with how shutil handles TAR files, which already uses extractall().

Regression Test

Added a new test case test_unpack_zipfile_traversal_windows_drive to Lib/test/test_shutil.py. This test specifically verifies that a ZIP file containing a drive prefixed path is safely sanitized and extracted within the intended extract_dir on Windows.

Linked Issue

#146581

Issue: shutil.unpack_archive() on Windows writes outside extract_dir for ZIP entries with drive-prefixed names #146581