[3.12] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591) by miss-islington · Pull Request #149066 · python/cpython

bedevere-app

Open

miss-islington

wants to merge 1 commit into

python:3.12from

miss-islington:backport-fc829e8-3.12

Open

[3.12] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)#149066
miss-islington
wants to merge 1 commit into
python:3.12from
miss-islington:backport-fc829e8-3.12

Conversation

miss-islington commented
Apr 27, 2026
•

edited by bedevere-app Bot

Loading

Copy link

Copy Markdown

Contributor

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e8)

Co-authored-by: Serhiy Storchaka storchaka@gmail.com

Issue: shutil.unpack_archive() on Windows writes outside extract_dir for ZIP entries with drive-prefixed names #146581

pythongh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP…

52a4f9a

… files on Windows (pythonGH-146591)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e8)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

bedevere-app Bot added the type-security