gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows by serhiy-storchaka · Pull Request #146591 · python/cpython
added 6 commits
Use ZipFile.extractall() to sanitize file names and extract files. Files with invalid names (e.g. absolute paths) are now extracted with different names instead of been skipped or written out of the destination directory. Files containing ".." in the name are no longer skipped.
…ve-extractall' into shutil-unpack_archive-extractall
serhiy-storchaka added a commit that referenced this pull request
…P files on Windows (GH-146591) (GH-149065) Use ZipFile.extractall() to sanitize file names and extract files. Files with invalid names (e.g. absolute paths) are now skipped. Files containing ".." in the name are no longer skipped. (cherry picked from commit fc829e8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
serhiy-storchaka added a commit that referenced this pull request
…P files on Windows (GH-146591) (GH-149064) Use ZipFile.extractall() to sanitize file names and extract files. Files with invalid names (e.g. absolute paths) are now skipped. Files containing ".." in the name are no longer skipped. (cherry picked from commit fc829e8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This was referenced
gaborbernat added a commit to gaborbernat/cpython that referenced this pull request
Introduced in python#8295 alongside shutil.unpack_archive() as a helper that created the parent directory of each extracted member. Orphaned by pythongh-146581 (pythonGH-146591), the ZIP path-traversal fix, which reworked _unpack_zipfile() to create directories inline and deleted the last _ensure_directory(targetpath) call site in the same change. Since then the private helper has had no caller: a word-boundary search across Lib, Modules, Python, Objects and Include finds zero references outside its own definition, and a GitHub code search finds no downstream importers.
This was referenced
gaborbernat added a commit to gaborbernat/cpython that referenced this pull request
Introduced in python#8295 alongside shutil.unpack_archive() as a helper that created the parent directory of each extracted member. Orphaned by pythongh-146581 (pythonGH-146591), the ZIP path-traversal fix, which reworked _unpack_zipfile() to create directories inline and deleted the last _ensure_directory(targetpath) call site in the same change. Since then the private helper has had no caller: a word-boundary search across Lib, Modules, Python, Objects and Include finds zero references outside its own definition, and a GitHub code search finds no downstream importers.
philthompson10 pushed a commit to philthompson10/cpython that referenced this pull request
