◐ Shell
clean mode source ↗

[3.11] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591) by serhiy-storchaka · Pull Request #149071 · python/cpython

serhiy-storchaka

Skip to content

Navigation Menu

Sign in

Appearance settings

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Conversation

@serhiy-storchaka

@serhiy-storchaka serhiy-storchaka commented

Apr 27, 2026

edited by bedevere-app Bot

Loading

Copy link Copy Markdown

Member

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

(cherry picked from commit fc829e8)

 
… files on Windows (pythonGH-146591)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

(cherry picked from commit fc829e8)

@serhiy-storchaka

Copy link Copy Markdown

Member Author

Ping. Merging this PR is needed for backport to 3.10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@serhiy-storchaka