[issue40763] zipfile.extractall is safe by now

Gregory P. Smith added the comment: amaajemyfren is correct (and thanks for the pointers to the original issue and discussion). The warning remains out of caution. -- nosy: +gregory.p.smith resolution: -> not a bug stage: -> resolved status: open -> closed

[issue40763] zipfile.extractall is safe by now

Ama Aje My Fren added the comment: On Tue, May 26, 2020 at 2:47 PM Va wrote: > > What hasn't been handled then? > The rules for naming files in Windows is long (https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file). It is e.g. possible to create files under WSL within Windows t

[issue40763] zipfile.extractall is safe by now?

Change by Va : -- components: +Library (Lib) title: zipfile.extractall is safe by now -> zipfile.extractall is safe by now? type: behavior -> security ___ Python tracker ___ __

[issue40763] zipfile.extractall is safe by now

Va added the comment: > It is not obvious to me that zipfile._extract_member() together with (for windows) zipfile._sanitize_windows_name() have handled everything that could happen. What hasn't been handled then? What is the safe way to use it? I think documenting "this function is unsafe" w

[issue40763] zipfile.extractall is safe by now

Ama Aje My Fren added the comment: Hi, On Mon, May 25, 2020 at 10:18 AM Va wrote: > > So, the big red warning in Python 3 documentation might be relevant only for > Python < 2.7.4, not for any Python 3 version. > You may be on to something. It does appear to be what was discussed in msg181

[issue40763] zipfile.extractall is safe by now

New submission from Va : In documentation of all Python 3 versions, [ZipFile.extractall](https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.extractall) states with a big red warning: > Warning > Never extract archives from untrusted sources without prior inspection. It is > possi