From 92d653a8bd26617df5b78f692fc9a5a1e588c5f4 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Mon, 18 May 2026 17:05:52 +0300 Subject: [PATCH 1/2] gh-146581: Update docs for dangerous filenames in ZIP files --- Doc/library/shutil.rst | 2 +- Doc/library/zipfile.rst | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index d289ba58c24065..81344c85a2a76d 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -750,7 +750,7 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of the path specified in the *extract_dir* argument, e.g. members that have absolute filenames - starting with "/" or filenames with two dots "..". + or filenames with ".." components. Since Python 3.14, the defaults for both built-in formats (zip and tar files) will prevent the most dangerous of such security issues, diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index 9999ac26999910..ca08e3ce344eef 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -412,8 +412,8 @@ ZipFile objects Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of *path*, e.g. members - that have absolute filenames starting with ``"/"`` or filenames with two - dots ``".."``. This module attempts to prevent that. + that have absolute filenames or filenames with ".." components. + This module attempts to prevent that. See :meth:`extract` note. .. versionchanged:: 3.6 @@ -590,7 +590,7 @@ Path objects The :class:`Path` class does not sanitize filenames within the ZIP archive. Unlike the :meth:`ZipFile.extract` and :meth:`ZipFile.extractall` methods, it is the caller's responsibility to validate or sanitize filenames to prevent path traversal - vulnerabilities (e.g., filenames containing ".." or absolute paths). When handling + vulnerabilities (e.g., absolute paths or paths with ".." cmponents). When handling untrusted archives, consider resolving filenames using :func:`os.path.abspath` and checking against the target directory with :func:`os.path.commonpath`. From cadce7a5552ebd1344921329ef836c43eff97e91 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Mon, 18 May 2026 21:52:35 +0300 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Stan Ulbrych --- Doc/library/shutil.rst | 2 +- Doc/library/zipfile.rst | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst index 81344c85a2a76d..e0300a38e2f357 100644 --- a/Doc/library/shutil.rst +++ b/Doc/library/shutil.rst @@ -749,7 +749,7 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules. Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of the path specified in - the *extract_dir* argument, e.g. members that have absolute filenames + the *extract_dir* argument, for example, members that have absolute filenames or filenames with ".." components. Since Python 3.14, the defaults for both built-in formats (zip and tar diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index ca08e3ce344eef..ebafcb977803d4 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -411,7 +411,7 @@ ZipFile objects .. warning:: Never extract archives from untrusted sources without prior inspection. - It is possible that files are created outside of *path*, e.g. members + It is possible that files are created outside of *path*, for example, members that have absolute filenames or filenames with ".." components. This module attempts to prevent that. See :meth:`extract` note. @@ -590,7 +590,7 @@ Path objects The :class:`Path` class does not sanitize filenames within the ZIP archive. Unlike the :meth:`ZipFile.extract` and :meth:`ZipFile.extractall` methods, it is the caller's responsibility to validate or sanitize filenames to prevent path traversal - vulnerabilities (e.g., absolute paths or paths with ".." cmponents). When handling + vulnerabilities (for example, absolute paths or paths with ".." components). When handling untrusted archives, consider resolving filenames using :func:`os.path.abspath` and checking against the target directory with :func:`os.path.commonpath`.